4

The situation involves 3 machines:

  • A Some laptop connected somewhere to the Internet via any mean
  • B A server connected to the Internet through a standard ISP (static IP provided by dyndns: myserver.dyndns.com)
  • C Another server connected to the internet via a 4G Dongle

A <--- ISP1 --- ISP 2 ---> B <--- ISP 2 --- 4G ---> C

As the 4G dongle rejects new incoming connections, I put in place an autossh channel to connect from A to C via B:

autossh -M 0 -N [email protected] -R 10022:127.0.0.1:22 -R 10000:127.0.0.1:10000

That works great.

Now, I would like to access the 4G dongle's web interface by typing

myserver.dyndns.com:80

So I tried NATing things:

  • On B:

    iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:10000

    and

    iptables -t nat -A POSTROUTING -d 127.0.0.1 --dport 10000 -j MASQUERADE`

  • On C:

    iptables -t nat -A PREROUTING -p tcp --dport 10000 -j DNAT --to-destination 192.168.8.1:80

    and

    iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Note: eth1 is the 4G dongle's interface, C's IP on that interface is 192.168.8.100 and the dongle's is 192.168.8.1.

Unfortunately, that doesn't work. I also activated IP forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

When typing

iptables -t nat -L -v -n

on B and C, only the PREROUTING line of B sees its packet count increase after each attempt.

This may be due to a non-complete understanding of how netfilter works .

I'd appreciate any help you could provide!

Thomas
  • 43
  • 1
  • 4

1 Answers1

1

Please, could you provide iptables -t filter -nvL outputs on servers B and C?

I guess the autossh channel runs on server C. Is it right? If so, I suggest a different approach. On B, you need a REDIRECT rule, because the kernel will not allow an unprivileged user to open the port 80.

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 10000
iptables -t filter -A INPUT -p tcp --dport 10000 -j ACCEPT

(EDIT): On server B, GatewayPorts must be enabled in /etc/ssh/sshd_config:

# /etc/ssh/sshd_config
GatewayPorts clientspecified

On server C, forward connections directly to the dongle by modifying autossh arguments:

autossh -M 0 -N [email protected] -R 10022:127.0.0.1:22 \
    -R :10000:192.168.8.1:80

The only error I see in your setup resides on the PREROUTING chain rule of server C. In this scenario, it will not be evaluated because it affects only packets that enters through network interfaces. Connections created by ssh are locally generated, so they would be affected by rules in OUTPUT chain.

Anderson Medeiros Gomes
  • 1,506
  • 9
  • 9
  • Hi @Anderson. Thanks a lot for your help: the REDIRECT target and the GatewayPorts setting were the two keywords. The first can put into perspective with other posts such as [this post](http://serverfault.com/questions/363899/iptables-dnat-from-loopback): DNAT seems to be forbidden for localhost destination. For the record, I tried to DNAT to a non loopback ip assigned to B (e.g. its eth0 ip) and it worked too! – Thomas Mar 07 '16 at 10:34
  • @Thomas, There is a third keyword. The first colon in `-R :10000:192.168.8.1:80` argument makes SSH to bind the remote socket to the wildcard address (if `GatewayPorts` allows it). SSH binds listening sockets to the loopback addresses (`127.0.0.1` and `::1`) by default and neither `REDIRECT` nor `DNAT` target would work in this case. – Anderson Medeiros Gomes Mar 07 '16 at 12:24