3

I have a Debian server with a static IP address. I want to set it up so that if I connect to this server using a specific port, it will redirect that traffic to my home network.

I've got that working using iptables like so:

iptables -t nat -A PREROUTING -p tcp --dport [port] -j DNAT --to [home-ip]:[port]
iptables -t nat -A POSTROUTING -d [home-ip] -j MASQUERADE

The trouble is, my home network has a dynamic IP. As soon as it changes (which happens frequently enough) this will stop working.

However, I have a dynamic DNS name set up for my home IP address.

Is there anyway to use iptables so that it will always redirect this traffic to the IP that my dynamic DNS name resolves to?

Improve this question

2 Answers 2

Reset to default
3

IPTables does not support on-the-fly DNS resolution, because it involves security, performance and implementation issues.

If someone was able to modify DNS records for your domain, it would affect IPTables rules.

If IPTables did a DNS lookup on every incoming packet or even connection initiation packet, it would be really slow.

Also, if there are multiple A records for a domain name, which one would IPTables use?

To accomplish what you are looking for, you would need to implement a system where the host running IPTables would periodically check what is the IP address for your dynamic host name, and then change its rules accordingly.

Another alternative would be to have a software on your computer on your home network, which monitors current public IP address, and then sends it to your IPTables server, which reconfigures the IPTables.

I don't know any particular software that could do this for you.

Improve this answer
1

For the reasons well explained by Tero Kikanen, iptables is not the tool to do what you wish. You should use ssh instead.

Let's call:

  1. hostA your local pc;

  2. hostB your Debian server;

  3. hostC your home pc.

If you want to forward your ssh session, for instance, you need to add, on pc hostA, the following line to your file .ssh/config:

Host hostC
ProxyCommand ssh hostB -W %h:%p

and make sure you have login credentials to hostC on hostA. Now, from hostA, you may connect to hostC as follows:

ssh me@hostc

In this, you do not need to use IP addresses, unresolved names are just fine. Also, you may add all sorts of options (things like port, crypto key file, user, and so on) either on the Proxy Command file or on the CLI (it depends on whether the option is for B->C connection, or for A->B connection respectively).

By the same token, you can forward a given port (portA) on hostA to a different port (portC) on hostC thru the intermediary of hostB, as follows:

ssh -L portA:hostC:portC me@hostB

Once again, no need to use IP addresses, simple names will do. Another major advantage of ssh is that all communications are automatically encrypted, so no one will be able to see what you are doing.

Lastly, if you do not know how to give a (free!) name to a pc without a static IP address (hostC), just check noip, it is trivial.

Improve this answer
3
  • Unfortunately this solution is not usable for me, because hostA is an iOS device and as such doesn't have the capability to do any kind of sophisticated forwarding with ssh. The redirection has to happen transparently to hostA.
    – Bri Bri
    Commented Apr 11, 2017 at 18:26
  • @GuyGizmo What I suggested can be done on iOS, read here, apple.stackexchange.com/questions/69163/…
    – MariusMatutiae
    Commented Apr 11, 2017 at 22:20
  • I should also mention that what I'm setting up is meant to be a "one click" operation, especially for users who are not computer literate, so I don't see asking them to download an SSH client and configure it for tunneling to be a viable solution. It's pretty much a hard requirement that the redirection be transparent to iOS. That all said your solution is a good one. It's just not the right one for me in this instance.
    – Bri Bri
    Commented Apr 12, 2017 at 2:22

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .