Thursday, December 19, 2013

In Pursuit of Port Forwarding

On one of my latest projects I found the need for stable port forwarding using an AWS NAT instance as the front end.  At first I used the quickest tool in my arsenal, the SSH port forward:
ssh -fgL 80:192.168.1.100:8884 localhost sleep 3600

This creates a simple port forwarding rule which will close on it's own in an hour's time.  Depending on what you're doing this is also nice as it a secure tunnel to do the forwarding, which can be nice depending on the network you're connecting across. You can also not use the -f option, and follow the SSH connection, which would then keep the port forward rule working until you "exit" the ssh connection.  This is great as a quick tool, and for temporary access, but I just don't trust the connection to be stable enough to consider it permanent.

Enter iptables.  I've used it before, and it definitely has it's place in the Linux networking toolbox, but it can be a bit cumbersome to use, especially if you're not using it regularly.  Furthermore, when you go looking for help on the Internet, everyone has a different example of rules that worked for them.  In the end I ended up with this configuration working for me:
sudo /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.100:8884
sudo /sbin/iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE

At first I had fooled myself by testing from the same instance I was doing the forwarding on, but once I realized that mistake, the above rules worked great for LAN and WAN traffic originating outside of the NAT instance. While I was willing to accept that as fair compromise, since what I really needed to work was working, I just didn't like the feeling of it all. Not to mention this still left me with the iptables-save / iptables-restore mechanism to setup to make sure the rules I put in place would survive a reboot. It was after a long time of researching and testing that I got the iptables configuration to work, in the end to decide I didn't really like it.

This is when xinetd occurred to me. A service made to accept connections and manage services, in this case I didn't need the service management, just some port forwarding, and there's a configuration option just for such a thing! You can place a config like this in your /etc/xinetd.d dir:
service port-forward-80
{
  type = UNLISTED
  socket_type = stream
  protocol = tcp
  wait = no
  user = root
  bind = 0.0.0.0
  port = 80
  only_from = 0.0.0.0
  redirect = 192.168.1.100 8884
}

This way once you
sudo /etc/init.d/xinetd restart (sudo service xinetd restart)
it will listen on the "port" and forward to the "redirect" IP address and port. The "type = UNLISTED" tells xinetd that there is no service that needs to be controlled by this config block. This is simple, easy to read, is managed by a service (which is likely running if you've got it installed), so it will easily survive reboots, and the configuration is simpler to store in version control and be automated with a tool like puppet. Additionally, this instantly worked from access via LAN, WAN, and traffic originating on instance, yet one more reason why this approach was better than iptables. For those interested in monitoring please note: when the xinetd process is listening a port check will return true even when the remote port is not available.

There's another project called redir, and while I've not actually tried it, the syntax looks quite simple:
redir --laddr=192.168.1.1 --lport=80 --caddr 192.168.1.100 --cport=8884

But again, after realizing the robust nature of xinetd and it's ability to do the job as a managed service, I decided to stick with it rather than one of these more temporary (or less then perfect) solutions.

References:

5 comments:

raineyquarnstrom said...

Your cash shouldn’t go into 우리카지노 a basic checking account held by the casino; it should go into an account that's strictly for holding player funds. This means that as long as|so long as} you have have} the money in your player account, it can’t be spent by the casino. Your deposit shall be kept separate from the operating funds of the casino till your player account is empty, which can to} occur when you make a funds withdrawal or when you lose the money whereas taking part in}.

tahzayjacobo said...

Sae in a position to|is prepared to} spin this wheel a number of} instances all through the battle, changing seemingly at will, so do your greatest to stand as much as} the changing tide of the battle. Shadow Niijima warns you that attacking her through the roulette spin is a foul concept, and she’s telling you the reality. Attacking Niijima while the roulette wheel is spinning will cut back the HP of Phantom Thief who attacked right down to down to} 1. You can not damage her throughout this section, so save yourself some problem by not even making an attempt. Multiple intimate facet reveals popped as much as} fill the house in people’s schedules and hearts. 퍼스트카지노 Poker is essentially the most complicated desk sport to be taught since you need to|you must} memorise the order by which things play out, hand rankings and pot amounts.

caiusvadnais said...

And a playing habit isn't 파라오카지노 도메인 just about a person shedding their paycheck and savings, stated Fong. Forty-seven million Americans will place minimal of|no less than} one wager on the NFL this season, which kicks off Thursday evening. Luckily, there are several of} VPNs that still work with Draftkings. If you use one of the providers listed above, you need to} be able to|be capable of|have the power to} wager securely, no matter where may be}. The problem is that there's no telling how secure Draftkings' website is. Even assuming it's bulletproof, you may be using a poorly-secured network .

sagivudall said...

Or discover a sample within the spins and predict the ball hits. Many on-line roulette strategies corresponding to Martingale, Fibonacci, 카지노 and Labouchere can supposedly lower the home edge or even beat the algorithm. This is an internet roulette variant that can be be} played on extensive range|a variety} of slot sport websites. In essence, it’s very similar to|similar to} common roulette, however instead of a single ball spinning around a wheel, you get two.

Anonymous said...

Some variations of BetBlocker use a VPN to enforce your gambling restriction. While there are some intricacies within the specific set-up, for the aim of 'local networks' your system will look like accessing 1xbet from our VPN server, not an area connection. As such you will not be recognised as part of of} the local community and will be unable to access it. This means that you may be} not in a position to|be capable of|have the ability to} access other units on the local community – like printers. For some platforms, using a VPN is the only approach to enforce the requested restriction. Active mode – Our testing shows that whereas BetBlocker is lively and the cellphone is being continually used to browse the internet and play video games the battery life with was 14 hours.