Friday, November 1, 2013

Use port forwarding to selectively grant access to machines behind firewall/NAT

Port forwarding is a networking technique that can be used to give limited outside access to a machine that, due to its location behind a firewall or NAT setup, would not otherwise be accessible from the outside.

Say the target machine, 'bob', has a private IP address. Since it is behind NAT, it is not accessible from the Internet. I'd like to SSH to it from 'alice', a machine with a public IP address somewhere on the Internet. Under ordinary circumstances, this would not be possible. But if I have access to a "jump host" (a dual-homed machine that can access both 'bob' *and* 'alice') -- call it 'jump' --, I can set up port forwarding on 'jump' to accomplish my objective.

Typically, a high-numbered port (such as 63342) will be selected, and 'jump' will be configured to forward incoming SSH connections on this port to port 22 on 'bob'. This is easily accomplished using either 'socat' or 'xinetd'.

For socat, see: man socat ... and HINT socat TCP-LISTEN:80,fork TCP:[target_ip_address]
For xinetd, see: azouhr's blog entry on port forwarding with xinetd

Performance note: a kernel developer recently told me that, since 'socat' and 'xinetd' operate in userspace, at least two context switches per forwarded packet are performed. This has an adverse effect on the throughput and latency of connections made over forwarded ports. This would not be an issue with SSH, but I might want to think twice before attempting to pipe major traffic over a jump host in this way.

No comments:

Post a Comment