# Help needed with iptables rule to forward subversion request

## yarug

Hi all,

I'm sure this must have been done before, but I cannot seem to find anything on the net that I can use.

I have some colocated boxes sitting in a datacenter, all Gentoo. One of the boxes acts as a gateway, I have 1 WAN and 1 LAN interface on that box. That box is running iptables for a firewall. On one of the boxes on the LAN I now have setup a subvsersion repository that I want to access from the WAN using svn+ssh. That means I must setup some iptables rules to allow and forward svn+ssh protocol calls to the gateway.

I was hoping one of you could help me with establishing those rules. I would like to identify the gateway from the WAN side as svn.domain.com or something. The subversion repository is on a box with internal ip address 192.168.0.4

Any help appreciated!

----------

## di1bert

I used the rules below a number of times. The way I see it you'll need it twice. Once

for the forwarding of port 22 and once for the forwarding of Subversion (port 3690 according to /etc/services)

```

EXTERNALSOURCE=<IP>

INTERNALSERVER=<IP>

PORT=<PORT>

EIF=<EXTERNAL INTERFACE>

IIF=<INTERNAL INTERFACE>

iptables -t nat -A PREROUTING -i $EIF -p tcp -s $EXTERNALSOURCE --dport $PORT -j DNAT --to $INTERNALSERVER

iptables -A FORWARD -i $EIF -p tcp -d $INTERNALSERVER --dport $PORT -j ACCEPT

iptables -A FORWARD -i $EIF -m state --state ESTABLISHED,RELATED -d $INTERNALSERVER -j ACCEPT

iptables -A FORWARD -i $IIF -p tcp -s $INTERNALSERVER --sport $PORT -j ACCEPT

iptables -t nat -A POSTROUTING -o $EIF -p tcp -s $INTERNALSERVER --sport $PORT -j SNAT --to $INTERNALSERVER

```

Shout if this doesn't make sense...

HTH

-m

----------

## yarug

Thank you for your reply. I have tried your suggestion, but I don't think that it works.

Your line:

iptables -t nat -A PREROUTING -i $EIF -p tcp -s $EXTERNALSOURCE --dport $PORT -j DNAT --to $INTERNALSERVER

My values:

iptables -t nat -A PREROUTING -i eth2 -p tcp -s svn.mydomain.com --dport 22 -j DNAT --to 192.168.0.4

iptables-save output:

-A PREROUTING -s 87.253.137.213 -i eth2 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.4

My domain name resolves to 87.253.137.213. This is a wildcard DNS entry, so everything resolves to that IP address. What I'd like with iptables to forward any traffic to svn.mydomain.com to the server hosting subversion (here 192.168.0.4) and NOT all traffic to 87.253.137.213. I could get around that if I would just need to forward port 3690.

However, the above method does not seem to work at all because when I ssh to svn.mydomain.com I end up in a shell on the gateway server anyway and not on 192.168.0.4?

Any more thoughts appreciated,

Nes

----------

## Hu

Forwarding is done based on IP address, not hostname.  Thus, iptables cannot tell whether the incoming connection was entered as svn.example.com, gateway.example.com, or 87.253.137.213.  All three will be the same to it.  If I understand correctly, you want to forward ssh traffic to the internal host only when the user wrote svn.example.com on the command line, but not when the user wrote gateway.example.com.  You need a separate external IP address, or to forward a different port.  For example, you could forward 87.253.137.213:23 to the internal host and leave 87.253.137.213:22 connected to the sshd on the gateway.

----------

## yarug

Okay, thanks for clearing that up. I did get multiple IP addresses from my hosting provider. Can 1 external interface (eth2) handle multiple IP addresses? If so, how can I assign say 2 or 3 static IP addresses to it?

Many thanks,

Nes

----------

## yarug

Just to answer my post above, I added an additional IP address to the eth2 interface as follows:

ifconfig eth2:1 87.253.137.216 netmask 255.255.255.128

route add -host 87.253.137.129 dev eth2:1

So I've been trying the port forwarding with port 22 (ssh), but when I ssh to 87.253.137.216 I still end up on the gateway and not on 192.168.0.4 as I want.

Here is the output from iptables-save:

# Generated by iptables-save v1.3.5 on Wed Aug  1 10:11:30 2007

*nat

:PREROUTING ACCEPT [23069:1418154]

:POSTROUTING ACCEPT [1191:72436]

:OUTPUT ACCEPT [2713:183754]

-A PREROUTING -s 87.253.137.216 -i eth2 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.4 

-A POSTROUTING -o eth2 -j MASQUERADE 

-A POSTROUTING -s 192.168.0.4 -o eth2 -p tcp -m tcp --sport 22 -j SNAT --to-source 192.168.0.4 

COMMIT

# Completed on Wed Aug  1 10:11:30 2007

Your thoughts appreciated,

Nes

----------

## Rob1n

 *yarug wrote:*   

> So I've been trying the port forwarding with port 22 (ssh), but when I ssh to 87.253.137.216 I still end up on the gateway and not on 192.168.0.4 as I want.
> 
> Here is the output from iptables-save:
> 
> # Generated by iptables-save v1.3.5 on Wed Aug  1 10:11:30 2007
> ...

 

Shouldn't this be:

```

-A PREROUTING -d 87.253.137.216 -i eth2 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.4
```

As it's the original destination you're trying to match, not the source.

And I'm not sure what this is supposed to do (it looks to do nothing to me):

 *Quote:*   

> 
> 
> -A POSTROUTING -s 192.168.0.4 -o eth2 -p tcp -m tcp --sport 22 -j SNAT --to-source 192.168.0.4 
> 
> 

 

Should the --to-source point to 87.253.137.216 instead?

----------

## yarug

Yes, you are right. The code in the first reply had -s so I used that. But I have changed it just now to -d and it started working! Now when I ssh to 87.253.137.216 I end up on host 192.168.0.4.

Many thanks for all your replies!

Nes

----------

