[Mageia-discuss] Setting up a port forward

Sat Sep 1 00:39:45 CEST 2012

Op vrijdag 31 augustus 2012 20:23:02 schreef Anne Wilson:
> On 31/08/12 16:28, AL13N wrote:
> > Op vrijdag 31 augustus 2012 12:41:37 schreef Anne Wilson: I need to
> > set up ssh in such a way that it comes in on a high port, say 5122
> > which is forwarded to 22 - or otherwise to have ssh listen on 5122.
> > I assume this is beyond MCC, and will entail editing iptables. This
> > is not something I'm familiar with.  Can someone please advise me?
> > 
> > Anne
> > 
> > better to put it in shorewall:
> > 
> > use the /etc/shorewall/rules file... on top of the file (and man
> > shorewall- rules) is documented...
> 
> I'd love to - but I'm not having much success.  After much reading of
> man pages (largely gobbledegook if you don't already know it) and
> tutorials from
> http://runtime.bordeaux.inria.fr/oaumage/oa/Teaching/ARSA_06/Shorewall/
> (much
> easier to understand) I ended up adding lines like
> 
> DNAT net loc:192.168.0.40 tcp 143 5143
> DNAT net loc:192.168.0.40 tcp 22 5122
> 
> An attempt to restart seems to imply that I can't forward two
> addresses like this, so I assume I'm on the wrong track altogether.
> 
> Before adding those lines I used to get
> 
> ssh: connect to host 192.168.0.40 port 5122: Connection refused
> 
> Now it just hangs.
> 
> Depressing :-(  This worked so easily and perfectly with the old,
> unreliable LinkSys router.  Now I have to find a way to configure it
> on local firewalls, and frankly I'm simply not up to it.

i also saw that DNAT is for port forwarding to another machine in the lan, 
while REDIRECT is for port forwarding on the firewall itself

so:

#ACTION  SRC DST PROTO DPORT SPORT
REDIRECT net  22   tcp      5122      -

(man page mentions that DEST parameter in case of REDIRECT can be $FW::port, 
but can also be only the port where it should be forwarded TO.

if 192.1680.40 is indeed your shorewall FW ip for that machine.

source port is not something you'll be using, almost never used. (your last 
column)

no offense, it seems to me that you're lacking some basic networking and 
firewalling knowledge to really understand what you're trying to do. If you 
want to learn such things, you could probably read up on the low-low basics of 
networking. (often people have middle understanding, but not the low basics, 
so they then mash up different things together.)

in this case, remember the following:

for tcp/udp, every ip packet has a source ip and dest ip. but also a source 
port and a dest port (iow: the dst has an ip and port it listens on; and the 
src has an ip and uses a source port to send it from, often in case of TCP, 
the reply has everything in reverse, including the ports)

ex:
192.168.0.50:54134 --> 192.168.0.40:22  (user sends 'echo hello world')
192.168.0.40:22 --> 192.168.0.40:54134  (server sends back 'hello world')
192.168.0.50:54134 --> 192.168.0.40:22  ...

also, to debug networking issues: tcpdump is a good program for it, you can 
see all the traffic that passes through an interface.

good luck