Skip to content
June 16, 2007 / jphoward

Redirecting TCP sockets

I often find that I want to create a brief hole through a firewall – for example to start a service I forgot to run on a machine behind a firewall. One good way to do this is using RINETD. RINETD is a user space program for redirecting TCP sockets. It multiplexes IO with just one process.

For Linux firewalls, it’s generally better to use iptables. To create a temporary hole in the firewall, do:

  • iptables -t nat -A POSTROUTING -d $PRIVATEHOST -s $SRC -p tcp –dport $PORT -j SNAT –to-source $FIREWALL_INTERNALIP
  • iptables -t nat -A PREROUTING -s $SRC -d $PUBLICIP -p tcp –dport $PORT -j DNAT –to $PRIVATEHOST
  • iptables -A FORWARD -s $SRC -d $PRIVATEHOST -p tcp –dport 3389 -j ACCEPT
  • cat 1 > /proc/sys/net/ipv4/ip_forward


  • $SRC is the IP you are connecting from (so you and only you can connect)
  • $PORT is the TCP port you are trying to access
  • $FIREWALL_INTERNALIP is the internal IP of your linux firewall box
  • $PUBLICIP is the external IP you are connecting to
  • $PRIVATEHOST is the internal IP of the machine you are trying to connect to, behind your firewall

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: