1
Suppose there are hosts A and B. A is allowed SSH access to B based on its IP address. Consider now another host C. C does not have access to B, but if we could route its traffic through A, then C could access B. The problem is, how to do this kind of address translation? No two hosts are on the same LAN.
My first thought was to do SNAT with iptables on A:
iptables -t nat -A POSTROUTING --protocol tcp --source C --destination B --sport 7777 --dport 22 -j SNAT A
meaning that C should try to connect to A:7777 but I realized that routing the packet before SNAT spoils everything, therefore address translation should be done in PREROUTING -- which unfortunately is impossible. Another thought was to set up a VPN, but I think it is too complicated. Is there a neat way to do this, preferably with something as clean as iptables?
nccc
Posted 2012-11-09T03:08:24.260
Reputation: 153
You need dual NAT -- destination NAT before routing and source NAT after routing. See this answer for an example of dual NAT.
– David Schwartz – 2012-11-09T03:55:38.867