When two servers are connected to each other but only one server has access to the internet, services on the server that is not connected directly to the internet cannot be accessed directly. The server connected to the internet has to forward the ports to the services you want to reach on to the second server. This post will show you how to configure this arrangment.
For the configuration used in this article I assume that eth0 of Server1 is the public facing interface to the internet while eth1 is the interface connected to Server2. I also assume you have already configured Access the internet from server without direct connection.
Configure iptables port forwarding
With the Access the internet from server without direct connection configured, Server2 has access to the internet already. Services on Server2 are not accessible as Server1 is not forwarding any connections. In the next example I will enable access to Server2 via ssh and http.
As Server1 is running ssh itself you cannot use the standard port 22 to forward to Server2 as this will already be in use by Server1. An alternative port number has to be chosen. I’ll assume that Server1 is not already running a web server which allows the following example to use the default http port for the web server.
With Server2 already being able to connect to the internet via Server1, the only rules to add to iptables are the following:
[Server1]$ iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1234 -j DNAT --to 10.0.0.2:22 [Server1]$ iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.0.0.2:80
These rules will each enable one port defined by “–dport” to be forwarded to Server2 with the “–to” parameter. The “–to” parameter takes an IP address as well as a port number to forward to.
The first rule will forward port 1234 (our chosen port for ssh) to Server2’s IP on the default port 22. The web-server port 80 is forwarded in the second rule to the same port on Server2.
Testing the forwarding
With the IPtables rule in place, you can try to connect to Server2. The ssh command will need the port number specifying, otherwise you will end up connecting to Server1:
[Client]$ ssh Server1 -p 1234
In the command above you connect to the IP / hostname of Server1 but with the port that is forwarded to Server2. This will bring you directly to the shell of Server2. You might authenticate by password or ssh-key depending on your ssh configuration.
The web-server, which I’ll assume is already configured and running on Server2, can be accessed again with the IP / hostname of Server1 and the forwarded standard port 80. To reach the web-server of Server2 enter the following into a web-browser:
http://Server1/
If you have forwarded a different port, the selected port needs to be added to the URL. If you have selected port 8080 to be forwarded to Server 2 enter the following into a web-browser:
http://Server1:8080/
Where “Server1” should be replaced by Server1’s IP address or hostname.
Read more of my posts on my blog at http://blog.tinned-software.net/.
