1

I need to forward from a single IP to a URL (due the destination server uses a range of IP to interchange among them) using iptables.

It is possible to do that?

If that so I was considering using this:

iptables -t nat -A PREROUTING -p tcp --dport 10022 -j DNAT --to sftp.cl.cloud.mypega.com:22
iptables -A FORWARD -d sftp.cl.cloud.mypega.com -p tcp --dport 22 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth69 -j MASQUERADE

Is this correct?

Gerald Schneider
  • 23,274
  • 8
  • 57
  • 89
czumelzu
  • 11
  • 2
  • 2
    *"I need to forward from a single IP to a URL (...) using iptables."* No, you most likely don't. [You might think that you do, though.](https://meta.stackexchange.com/q/66377/157730) What problem are you trying to solve by doing this? – user May 12 '17 at 14:02
  • One forwards inbound traffic through a firewall to an internal destination. Outbound traffic to a destination is routed. By your wording, you're trying to implement routing with a firewall tool. @MichaelKjörling is right, you're assuming that your current problem is that your solution to the task at hand is broken. It may be the wrong solution. What is your task at hand? – Jeter-work May 12 '17 at 14:35
  • what I need to do is open a sftp session from a server inside my network to a sftp server in cloud. – czumelzu May 12 '17 at 19:44
  • @Xalorous Thanks for the response. What I need to do is open a sftp session from a server inside my network to a sftp server in cloud (internet) passing through a server in DMZ, I have done that when the sftp server has a single IP address, but now, this new sftp server uses a range of IP addresses (the owner of that destination server changes the IP address periodically) so they gave me a name (sftp.cl.cloud.mypega.com) and a IP range to connect to. The internal server has a single IP address, and the server in DMZ has two interfaces (internal and public). – czumelzu May 12 '17 at 19:51
  • Ok, I think I can narrow down your problem for you. What you need to know is how to open a port for outbound sftp traffic from one or more hosts within your network. The destination IP in this case does not matter. You can do this based solely on source IP and connection info (port+protocol). – Jeter-work May 12 '17 at 20:18

3 Answers3

1

No, it will not work. Although you can supply host names to iptables, they will not get resolved dynamically. According to the man page:

Hostnames will be resolved once only, before the rule is submitted to the kernel.

So the rule will forward the packages to the IP address which got resolved upon submitting the rule.

Lacek
  • 7,233
  • 24
  • 28
0

This won't work with bare iptables. You'll need to set up a proxy (i.e. haproxy, apache httpd, nginx) that does reverse-proxying to the destination you want and DNAT to that proxy instead.

Andreas Rogge
  • 2,853
  • 11
  • 24
0

The real question is how do I allow sftp traffic out of my host?

iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT

Yes, that's the same as SSH. If you want to limit it to only certain hosts in your network you adjust it accordingly. I took that from here: IPTables: allow outgoing SSH. This also recommends two stateful rules to allow continued communication once the connection is established:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

The destination's DMZ, FQDN, IP address scheme and IP rotation are irrelevant. As long as the FQDN you've been given is valid and registered, DNS will allow TCP/IP to get the packets where they need to go.

If the DMZ server you mention is YOUR DMZ, and the server is acting as your firewall, you need to accept packets from the source server and forward them to the interface hosting the public facing IP. You'll also need to open traffic inbound, port 22, destination address of your internal server. ACCEPT that and forward to internal network.

Notice that you don't need to know the destination FQDN for any of this. If they had a nice static IP address, you could possibly lock down the rules to only allow sftp(and SSH) to/from those sites.

Jeter-work
  • 845
  • 4
  • 15