Route/NAT/Port forwarding for one port only?

I'm not sure what is the correct term to use and I don't know what tools should I use. The only thing I have is a goal which I'd like to accomplish.

I have two linux machines(A and B) and a remote service. The service is listening on port 16000. The outgoing connection from machine A on port 16000 is blocked by a firewall, but on B it is not. I need to access the service from the A. So it will probably need to be routed(correct term?) throught the B. I cannot modify the program which is accessing the service(so it will always try on port 16000).

I know there are a lot of tutorials on similar topics, but I don't know which one should I follow, because there are apparently many possibilites. I have full access to both machines. I'm a simple developer, not a Linux admin, but this is really a blocker for me:( What is the best way to accomplish that? What should I execute on machine A and on machine B?

Thanks.

NeplatnyUdaj

Posted 2013-05-22T13:24:30.933

Reputation: 113

Answers

I don't know the best way, there are several

Fix the firewall

This seems to me best. It isn't clear from your question where the firewall is (is it a separated device, a function of a router, or a software firewall on A?)

Routing

You can probably route all traffic from A to B but I would avoid this.

You'd have to configure A with a static network configuration that gives B's address as the default gateway.

You'd have to configure B as a one-armed router.

You might have to perform some extra NAT tricks on the real LAN-Internet router so that return traffic for A is instead delivered to B.

It would probably be easier to put A on a subnet by itself and add a NIC to B.

Wait and see if someone comes up with an easy solution. I'd try my other idea below first.

Forwarding

You could, for example, add a /etc/host entry on A that associates the DNS name of the service with the IP address of B. Usually name-resolvers consult /etc/hosts first (if not you can specify the order - details depend on OS)

On B use something like socat to set up a forwarder/relay listening on port 16000 that acts as a proxy. See 3rd example in the socat documentation.

RedGrittyBrick

Posted 2013-05-22T13:24:30.933

Reputation: 70 632

Fix the firewall is unfortunately not an option(I'm just a tiny developer in a huge company) Routing: I need just a single port Forwarding: This looks good. I'll try that – NeplatnyUdaj – 2013-05-22T14:05:30.353

Be careful with forwarding/routing. If you can't convine those above you in your company or the group that maintains the firewall/security of your company that your requested change is justified you probably won't have much luck defending yourself when they discover that you circumvented their firewall. Depending on what sort of regulations your company is required to follow you could end up in court facing criminal charges on top of loosing your job. – chuck – 2013-05-22T15:18:06.757

Thanks for all input. Finally I was able to convince IT department I really need that so no workarounds are necessary now. – NeplatnyUdaj – 2013-05-27T11:16:07.557

If any outgoing connection to 16000 from Server A is blocked, and the application can connect only to port 16000, your only hope is that you are allowed to connect to local port 16000 (local as in Server A).

If that's possible, just setup SSH port forwarding from local port 16000 to Server B:

ssh -L 16000:service:16000 server_b

Martin Prikryl

Posted 2013-05-22T13:24:30.933

Reputation: 13 764

I don't have to do anything else on machine B? It looks strange. Also, what if I wanted to route port 16000 for all destinations? Connection between A and B is completely unrestricted. I only have problem to reach something on the Internet from A. – NeplatnyUdaj – 2013-05-22T14:02:42.517

As long as there's SSH server on B and you have an account there AND you can connect to SSH on B, you do not need to do anything on B. From your comment though, it looks like you cannot connect to SSH on B either. What you have not specified in your question. – Martin Prikryl – 2013-05-22T14:05:46.147

I have ssh there. Can I put something else there instead of :service:? I want all traffic on port 16000 to be routed through B. – NeplatnyUdaj – 2013-05-22T14:18:14.287

When I do what you suggested and turn on the verbose mode of ssh, I see this in the output:

`Local connections to LOCALHOST:16000 forwarded to remote address service:16000`

I'm not sure it's exactly what I need. Or is it? It's the output from the remote machine? – NeplatnyUdaj – 2013-05-22T14:38:15.627

The service is just a placeholder for a host name, where your remote service is running. – Martin Prikryl – 2013-05-23T07:59:37.553

I know. I'm just asking if I can do that for all network services on that port. – NeplatnyUdaj – 2013-05-27T11:15:02.257

You cannot have more services on one port. – Martin Prikryl – 2013-05-27T11:18:27.383