Using iptables to proxy a port on a remote machine on a different network


machine A ( provides resource A on port 8888
machine B ( needs to access resource A

without modifying machine B (not allowed), create machine C and have any traffic to machine C on port 8888 forwarded to machine A. Then tell machine B that machine C is machine A and nobody is the wiser. None of the examples I found online had this working properly.

I eventually came up with the following.
machine C has two interfaces:
one that is on the same network as machine B - eth0
one that is on the same network as machine A - eth1

:OUTPUT ACCEPT [4698:1663560]
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 8888 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED -j ACCEPT
:OUTPUT ACCEPT [831:65096]
-A PREROUTING -d -p tcp -m tcp --dport 8888 -J dnat --TO-DESTINATION
-a postrouting -o eth1 -j MASQUERADE

So we allow from eth0 to eth1 on port 8888 with the forward rule which then passes to the nat table for masquerading. The thing that most blogs are missing is the reverse connection from eth1 to eth0 with the established traffic. Without that you can connect and send data but nothing ever comes back. You have to enable ip_filter with sysctl as usual. You might need to enable rp_filter, but I didn't.

About the Author...

Slides from LISA 2019 Linux systems troubleshooting #LISA2019 Tue Oct 29 05:59:30 +0000 2019 configuring grub2 with EFI Fri Sep 13 05:20:01 +0000 2019

I published a Thing on @thingiverse! #thingalert Tue Jul 23 19:27:57 +0000 2019

Nokogiri install on MacOSX Fri Jul 12 15:06:49 +0000 2019

HTML email with plain mailer plugin on Jenkins Thu Jul 11 21:07:25 +0000 2019