0

I have a daemon running on a CentOS (7) box that accepts raw TCP (not HTTP) connections, and I'd like to connect to the daemon from a remote machine via the internet. The problem is that the daemon will only accept connections that originate from localhost.

Also, I don't have any ability to change anything about how the daemon process handles communication, so any solution will have to "trick" it into thinking that external connections are originating locally on a specific port.

My current thinking is that I should be able to use iptables to proxy outside connections to the daemon, but I haven't yet found the right combination of firewall rules/directives to accomplish the task. I've also considered adding Nginx to the equation, but from what I understand, iptables alone should be enough.

I have intermediate Linux sysadmin experience, but am pretty new to iptables...

So, my question(s):

  1. What is the best/easiest way (iptables or not) to setup this configuration?
  2. If iptables is the best approach, what is the best way to test from the command line whether or not connections are working?

Thanks!

EDIT: I thought this might be helpful for any kind soul willing to help me out. I've tried various permutations of the below rules, but no luck:

Prerequisites

  1. echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
  2. sudo sysctl -w net.ipv4.conf.eth0.route_localnet=1

Firewall rules

# Setup basic forwarding
sudo iptables --append FORWARD -i eth0 -p tcp --dport 9876 -j ACCEPT

# Route all incoming packets at external interface (eth0) on port 9876 to localhost 9876
# -- OR --
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 9876 -j DNAT --to-destination 127.0.0.1:9876
# -- OR --
#sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 9876 -j REDIRECT --to-port 9876


# Make sure packets leaving the external interface have the external address of that interface
#sudo iptables -A POSTROUTING -t nat -o eth0 -p tcp --dport 9876 -d 127.0.0.1 -j SNAT --to-source 127.0.0.1
# -- OR --
sudo iptables -A POSTROUTING -t nat -s 127.0.0.1 -j SNAT –to-source XX.XX.XX.XX
# -- OR --
#iptables -A POSTROUTING -t nat -p tcp -d XX.XX.XX.XX --dport 9876 -j MASQUERADE
Community
  • 1
stephenrs
  • 1
  • 1
  • hat googling have you done? something along the lines of "port forwarding" should help i think – aaaaa says reinstate Monica Dec 08 '16 at 01:07
  • @aaaaaa I have googled extensively, and am still googling. This seems like it should be pretty straightforward, but I must be missing something. I haven't found anyone describing the specific scenario that I have. – stephenrs Dec 08 '16 at 02:19
  • in Fedora something like this should be helpful: https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/sec-Configure_Port_Forwarding-CLI.html `~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toaddr=127.0.0.1` AFAIK Centos7 have `firewalld` – aaaaa says reinstate Monica Dec 08 '16 at 21:12
  • Also: are you sure that daemon actually works properly, i.e. listening and accepting packets on localhost:9876? In other words, how do you verify that "it doesn't work". Also TCP and HTTP are not comparable,they are on different layers (transport vs app layers) – aaaaa says reinstate Monica Dec 08 '16 at 21:14
  • @aaaaaa I'm currently not using the firewall-cmd approach, and I already have a customized iptables setup, so I'd rather not migrate to firewall-cmd..although I wish we had started with that technique. Also, I know the daemon/service is working properly, because it's being used in production. Now I want to access it remotely to do some further development and testing. In production, I'm accessing the service from a Python app, by creating direct socket connections to 127.0.0.1:9876. – stephenrs Dec 08 '16 at 23:33
  • have you read http://serverfault.com/questions/586486/how-to-do-the-port-forwarding-from-one-ip-to-another-ip-in-same-network – aaaaa says reinstate Monica Dec 09 '16 at 04:55
  • @aaaaaa Yes, and many like it, and as far as I can tell, the rules I've defined should work, so something appears to be missing. Do you see anything specifically wrong with the rules I posted, or have any specific comments about them? – stephenrs Dec 09 '16 at 07:44

0 Answers0