ssh

IP/ssh Routing and Hopping 50 Examples

We get Grok to Write Us a Good and Quick Example of Routing and Packet handling via IP tables.

thinkmelt@protonmail.com

38 min read
IP/ssh Routing and Hopping 50 Examples

Grok 4 is absolutely fantastic for creating 'idea cards' that show many examples of ip routing and ssh routing.  As a network administrator it behooves you to refresh yourself of this stuff often!  So - here it is!

  • System configurations change constantly - we tried to test these as best we could, but depending on your Linux system, networking etc it may (or may not work) but it gives you piles of good ideas for your corporate setup!
  • Understand a basic rule - if your packet crosses two interfaces, then ipv4 forwarding must be enabled.

Understanding IPv4 Forwarding in IP Routing and SSH Configurations

In the context of the IP routing examples provided in previous guides, IPv4 forwarding is a critical kernel-level setting in Linux systems that determines whether the host can act as a router by forwarding packets between network interfaces. This explanation will detail what IPv4 forwarding entails, when it is required for the described setups, how to enable it, and whether SSH handles it automatically. I will structure this response to ensure clarity, beginning with foundational concepts and proceeding to practical implementation.

What Is IPv4 Forwarding?

IPv4 forwarding is a feature of the Linux kernel that allows a system to forward IP packets from one network interface to another. By default, most Linux distributions disable this feature to prevent unintended routing behavior, which could pose security risks on non-router systems (e.g., desktops or servers not intended for packet forwarding). When enabled, the kernel processes packets destined for other hosts, using routing tables to direct them appropriately. This is essential for scenarios involving network address translation (NAT), firewalls, or multi-hop routing, as seen in many of the iptables-based examples.

Without IPv4 forwarding enabled, rules in the FORWARD chain of iptables (or ip6tables for IPv6) will not function, as the kernel will drop packets that are not locally destined. This setting does not affect local traffic or outbound connections from the host itself but is specifically required for transit traffic.

Is IPv4 Forwarding Required in These Guides?

The necessity of IPv4 forwarding depends on the specific type of routing or forwarding mechanism in each example:

Iptables-Based Routing and NAT Examples:

  • In setups using iptables for NAT (e.g., PREROUTING, POSTROUTING, or FORWARD chains), such as external-to-internal IP routing, port forwarding via DNAT, or masquerading, IPv4 forwarding must be enabled. This is because these configurations involve the kernel routing packets between interfaces (e.g., from an external WAN interface to an internal LAN interface).
  • Examples include single-hop NAT, two-hop routing, and any scenario where the host acts as a gateway or router. Without forwarding, packets would be discarded, rendering rules ineffective.
  • For IPv6 equivalents (using ip6tables), IPv6 forwarding (net.ipv6.conf.all.forwarding) may also need enabling, though the guides primarily focus on IPv4.

SSH-Based Port Forwarding Examples:

  • SSH port forwarding (e.g., using the -L option for local forwarding) operates at the application layer and does not rely on kernel-level IP forwarding. SSH creates a tunnel that forwards traffic through the SSH connection itself, bypassing the kernel's routing stack for the tunneled ports.
  • In these cases, the SSH server handles the forwarding in user space, so no kernel configuration changes are needed. This is why SSH is often used for simple, secure port redirection without requiring full router capabilities.
  • However, if the SSH setup is combined with iptables (e.g., for broader network routing), forwarding may still be required for non-tunneled traffic.

In summary, for pure iptables-driven routing (the majority of the examples), IPv4 forwarding is mandatory. For standalone SSH configurations, it is not required, as SSH does not automatically enable or depend on it—nor does it modify kernel settings.

How to Enable IPv4 Forwarding

Enabling IPv4 forwarding can be done temporarily (for the current session) or persistently (across reboots). These steps assume a Linux system with root privileges, as they involve system configuration. Always exercise caution, as enabling forwarding can expose your system to additional network traffic.

Temporary Enable (Runtime Only):

  • Use the sysctl command to set the forwarding parameter dynamically:
sudo sysctl -w net.ipv4.ip_forward=1
  • sudo: Elevates privileges to root.
  • sysctl: A utility for querying and modifying kernel parameters at runtime.
  • -w: Writes the new value to the parameter.
  • net.ipv4.ip_forward=1: The specific parameter for IPv4 forwarding (set to 1 to enable; 0 to disable).
  • This change takes effect immediately but will revert on reboot. Verify the setting with:
sysctl net.ipv4.ip_forward
  • Expected output: net.ipv4.ip_forward = 1.

Persistent Enable (Across Reboots):

  • Edit the sysctl configuration file:
sudo nano /etc/sysctl.conf
  • Add or uncomment the line: net.ipv4.ip_forward=1.
  • Save and exit the editor.
  • Apply the changes without rebooting:
sudo sysctl -p
  • -p: Loads settings from /etc/sysctl.conf.
  • For IPv6 forwarding (if needed in dual-stack examples), add net.ipv6.conf.all.forwarding=1 to the same file and apply similarly.

Additional Considerations:

  • On some distributions (e.g., Ubuntu with UFW firewall), enabling forwarding may require additional configuration in firewall rules to allow forwarded traffic.
  • If using containerized environments (e.g., Docker), forwarding might need enabling at the host level, as containers often inherit kernel settings.
  • Security: After enabling, ensure iptables rules restrict unwanted traffic (e.g., using -j DROP as a default policy in the FORWARD chain).
  • Testing: Use tools like ping or traceroute across interfaces to confirm forwarding works post-configuration.

Does SSH Enable IPv4 Forwarding Automatically?

No, SSH does not enable IPv4 forwarding automatically. SSH is a user-space application that establishes encrypted tunnels for port forwarding, remote access, or proxying without altering kernel parameters. It forwards traffic at the TCP layer within the SSH session, not by engaging the kernel's IP routing. Therefore:

  • In SSH-only examples (e.g., ssh -L), no forwarding enablement is needed or performed.
  • If your setup requires kernel routing (e.g., combining SSH with iptables for network-wide access), you must manually enable forwarding as described.
  • Advanced SSH features, like dynamic forwarding (-D for SOCKS proxy), also operate without kernel forwarding, relying instead on SSH's internal handling.

In conclusion, while IPv4 forwarding is essential for the iptables-centric routing examples to function as gateways, it is not required or automated by SSH in port-forwarding scenarios. Enabling it should be done judiciously, with appropriate security measures. If you encounter issues in a specific example or need configuration for a particular distribution, please provide additional details for tailored guidance.

1. External IPv4 to Internal IPv4 (Single Hop NAT)

This example routes traffic from an external IPv4 address (203.0.113.1) to an internal IPv4 address (192.168.1.10) using Network Address Translation (NAT).

iptables -t nat -A PREROUTING -d 203.0.113.1 -j DNAT --to-destination 192.168.1.10
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -d 203.0.113.1: Matches packets with the destination IP address 203.0.113.1.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination 192.168.1.10: Rewrites the destination IP address to 192.168.1.10.

No SSH configuration is required for this example.

2. External IPv4 to Internal IPv4 (Port Forwarding to Port 80)

This example routes traffic from an external IPv4 address (198.51.100.5:80) to an internal IPv4 address (192.168.1.15:8080) using port forwarding.

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.15:8080
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -p tcp: Matches packets using the TCP protocol.
  • --dport 80: Matches packets with destination port 80.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination 192.168.1.15:8080: Rewrites the destination to IP address 192.168.1.15 and port 8080.
ssh -L 80:localhost:8080 user@192.168.1.15
  • ssh: The Secure Shell command for secure remote login and tunneling.
  • -L 80:localhost:8080: Enables local port forwarding, binding local port 80 to port 8080 on the remote host (localhost from the SSH server's perspective).
  • user@192.168.1.15: Specifies the username and IP address of the remote host to connect to.

3. External IPv4 to Internal IPv6 (NAT64 Translation)

This example routes traffic from an external IPv4 address (192.0.2.1) to an internal IPv6 address (2001:db8::1) using NAT64.

ip6tables -t nat -A PREROUTING -d 2001:db8::1 -j DNAT --to-destination [::ffff:192.0.2.1]
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -d 2001:db8::1: Matches packets with the destination IPv6 address 2001:db8::1.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination [::ffff:192.0.2.1]: Rewrites the destination to the IPv4-mapped IPv6 address representing 192.0.2.1 (requires NAT64 setup).

No SSH configuration is required for this example.

4. External IPv4 to Internal IPv6 (Port Forwarding to Port 443)

This example routes traffic from an external IPv4 address (203.0.113.2:443) to an internal IPv6 address (2001:db8::2:8443).

ip6tables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination [2001:db8::2]:8443
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -p tcp: Matches packets using the TCP protocol.
  • --dport 443: Matches packets with destination port 443.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination [2001:db8::2]:8443: Rewrites the destination to IPv6 address 2001:db8::2 and port 8443.
ssh -L 443:localhost:8443 user@[2001:db8::2]
  • ssh: The Secure Shell command for secure remote login and tunneling.
  • -L 443:localhost:8443: Enables local port forwarding, binding local port 443 to port 8443 on the remote host.
  • user@[2001:db8::2]: Specifies the username and IPv6 address of the remote host to connect to.

5. External IPv6 to Internal IPv4 (Single Hop Translation)

This example routes traffic from an external IPv6 address (2001:db8::3) to an internal IPv4 address (10.0.0.5).

iptables -t nat -A PREROUTING -d 10.0.0.5 -j DNAT --to-destination [::ffff:2001:db8::3]
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -d 10.0.0.5: Matches packets with the destination IP address 10.0.0.5.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination [::ffff:2001:db8::3]: Rewrites the destination to the IPv6 address 2001:db8::3 (with IPv6-to-IPv4 mapping).

No SSH configuration is required for this example.

6. External IPv6 to Internal IPv4 (Port Forwarding to Port 22)

This example routes traffic from an external IPv6 address (2001:db8::4:22) to an internal IPv4 address (172.16.0.1:22).

iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 172.16.0.1:22
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -p tcp: Matches packets using the TCP protocol.
  • --dport 22: Matches packets with destination port 22.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination 172.16.0.1:22: Rewrites the destination to IP address 172.16.0.1 and port 22.
ssh -p 22 user@172.16.0.1
  • ssh: The Secure Shell command for secure remote login and tunneling.
  • -p 22: Specifies the port to connect to on the remote host.
  • user@172.16.0.1: Specifies the username and IP address of the remote host to connect to.

7. External IPv6 to Internal IPv6 (Direct Routing)

This example routes traffic from an external IPv6 address (2001:db8::5) to an internal IPv6 address (fc00::1).

ip6tables -A FORWARD -s 2001:db8::5 -d fc00::1 -j ACCEPT
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -s 2001:db8::5: Matches packets with the source IPv6 address 2001:db8::5.
  • -d fc00::1: Matches packets with the destination IPv6 address fc00::1.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

No SSH configuration is required for this example.

8. External IPv6 to Internal IPv6 (Port Forwarding to Port 53)

This example routes traffic from an external IPv6 address (2001:db8::6:53) to an internal IPv6 address (fd00::1:53).

ip6tables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to-destination [fd00::1]:53
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -p udp: Matches packets using the UDP protocol.
  • --dport 53: Matches packets with destination port 53.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination [fd00::1]:53: Rewrites the destination to IPv6 address fd00::1 and port 53.
ssh -L 53:localhost:53 user@[fd00::1]
  • ssh: The Secure Shell command for secure remote login and tunneling.
  • -L 53:localhost:53: Enables local port forwarding, binding local port 53 to port 53 on the remote host.
  • user@[fd00::1]: Specifies the username and IPv6 address of the remote host to connect to.

9. Internal IPv4 to External IPv4 (Outbound NAT)

This example routes outbound traffic from an internal IPv4 address (192.168.1.20) to an external IPv4 address (198.51.100.10) using masquerading.

iptables -t nat -A POSTROUTING -s 192.168.1.20 -j MASQUERADE
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A POSTROUTING: Appends a rule to the POSTROUTING chain, which processes packets after routing decisions.
  • -s 192.168.1.20: Matches packets with the source IP address 192.168.1.20.
  • -j MASQUERADE: Jumps to the MASQUERADE target, which performs source NAT using the outgoing interface's IP.

No SSH configuration is required for this example.

10. Internal IPv4 to External IPv6 (6to4 Tunneling)

This example routes traffic from an internal IPv4 address (10.0.0.10) to an external IPv6 address (2001:db8::7) via tunneling.

iptables -A FORWARD -s 10.0.0.10 -d [::ffff:2001:db8::7] -j ACCEPT
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -s 10.0.0.10: Matches packets with the source IP address 10.0.0.10.
  • -d [::ffff:2001:db8::7]: Matches packets with the destination IPv6 address 2001:db8::7 (IPv4-mapped).
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed (tunnel setup required).

No SSH configuration is required for this example.

11. Internal IPv6 to External IPv4 (NAT64 Outbound)

This example routes outbound traffic from an internal IPv6 address (fc00::2) to an external IPv4 address (203.0.113.3).

ip6tables -t nat -A POSTROUTING -s fc00::2 -j MASQUERADE
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A POSTROUTING: Appends a rule to the POSTROUTING chain, which processes packets after routing decisions.
  • -s fc00::2: Matches packets with the source IPv6 address fc00::2.
  • -j MASQUERADE: Jumps to the MASQUERADE target, which performs source NAT using the outgoing interface's IP.

No SSH configuration is required for this example.

12. Internal IPv6 to External IPv6 (Single Hop Forwarding)

This example routes traffic from an internal IPv6 address (fd00::2) to an external IPv6 address (2001:db8::8).

ip6tables -A FORWARD -s fd00::2 -d 2001:db8::8 -j ACCEPT
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -s fd00::2: Matches packets with the source IPv6 address fd00::2.
  • -d 2001:db8::8: Matches packets with the destination IPv6 address 2001:db8::8.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

No SSH configuration is required for this example.

13. Two-Hop: External IPv4 to Internal IPv4

This example routes traffic from external IPv4 (203.0.113.4) to Router1 (198.51.100.15), then to internal IPv4 (192.168.1.30).

Router1:

iptables -t nat -A PREROUTING -d 198.51.100.15 -j DNAT --to-destination 192.168.1.30
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -d 198.51.100.15: Matches packets with the destination IP address 198.51.100.15.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination 192.168.1.30: Rewrites the destination IP address to 192.168.1.30.

Router2:

iptables -A FORWARD -d 192.168.1.30 -j ACCEPT
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -d 192.168.1.30: Matches packets with the destination IP address 192.168.1.30.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

No SSH configuration is required for this example.

14. Two-Hop: External IPv4 to Internal IPv6

This example routes traffic from external IPv4 (192.0.2.2) to Router1 (203.0.113.5), then to internal IPv6 (2001:db8::9).

Router1:

iptables -A FORWARD -d [::ffff:2001:db8::9] -j ACCEPT
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -d [::ffff:2001:db8::9]: Matches packets with the destination IPv6 address 2001:db8::9 (IPv4-mapped).
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

Router2:

ip6tables -t nat -A PREROUTING -d 2001:db8::9 -j DNAT --to-destination [2001:db8::9]
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -d 2001:db8::9: Matches packets with the destination IPv6 address 2001:db8::9.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination [2001:db8::9]: Rewrites the destination to the same IPv6 address (for consistency in translation).

No SSH configuration is required for this example.

15. Two-Hop: External IPv6 to Internal IPv4 (Port Forwarding to Port 80)

This example routes traffic from external IPv6 (2001:db8::10:80) to Router1 (fc00::3), then to internal IPv4 (10.0.0.15:80).

Router1:

ip6tables -A FORWARD -d [::ffff:10.0.0.15] -j ACCEPT
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -d [::ffff:10.0.0.15]: Matches packets with the destination IPv4-mapped IPv6 address representing 10.0.0.15.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

Router2:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.15:80
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -p tcp: Matches packets using the TCP protocol.
  • --dport 80: Matches packets with destination port 80.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination 10.0.0.15:80: Rewrites the destination to IP address 10.0.0.15 and port 80.
ssh -L 80:localhost:80 user@10.0.0.15
  • ssh: The Secure Shell command for secure remote login and tunneling.
  • -L 80:localhost:80: Enables local port forwarding, binding local port 80 to port 80 on the remote host.
  • user@10.0.0.15: Specifies the username and IP address of the remote host to connect to.

16. Two-Hop: External IPv6 to Internal IPv6

This example routes traffic from external IPv6 (2001:db8::11) to Router1 (fd00::3), then to internal IPv6 (fc00::4).

Router1:

ip6tables -A FORWARD -d fc00::4 -j ACCEPT
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -d fc00::4: Matches packets with the destination IPv6 address fc00::4.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

Router2:

ip6tables -A FORWARD -d fc00::4 -j ACCEPT
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -d fc00::4: Matches packets with the destination IPv6 address fc00::4.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

No SSH configuration is required for this example.

17. External IPv4 to Internal IPv4 (Port Forwarding to Port 22)

This example routes traffic from external IPv4 (198.51.100.20:22) to internal IPv4 (192.168.1.40:22).

iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 192.168.1.40:22
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -p tcp: Matches packets using the TCP protocol.
  • --dport 22: Matches packets with destination port 22.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination 192.168.1.40:22: Rewrites the destination to IP address 192.168.1.40 and port 22.
ssh -p 22 user@192.168.1.40
  • ssh: The Secure Shell command for secure remote login and tunneling.
  • -p 22: Specifies the port to connect to on the remote host.
  • user@192.168.1.40: Specifies the username and IP address of the remote host to connect to.

18. Two-Hop: External IPv4 to Internal IPv6

This example routes traffic from external IPv4 (203.0.113.6) to Router1 (192.0.2.3), then to internal IPv6 (2001:db8::12).

Router1:

iptables -A FORWARD -d [::ffff:2001:db8::12] -j ACCEPT
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -d [::ffff:2001:db8::12]: Matches packets with the destination IPv6 address 2001:db8::12 (IPv4-mapped).
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

Router2:

ip6tables -t nat -A PREROUTING -d 2001:db8::12 -j DNAT --to-destination [2001:db8::12]
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -d 2001:db8::12: Matches packets with the destination IPv6 address 2001:db8::12.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination [2001:db8::12]: Rewrites the destination to the same IPv6 address.

No SSH configuration is required for this example.

19. External IPv6 to Internal IPv4 (Outbound Port Forwarding to Port 443)

This example routes traffic from external IPv6 (2001:db8::13:443) to internal IPv4 (172.16.0.10:443).

iptables -t nat -A POSTROUTING -p tcp --dport 443 -j MASQUERADE
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A POSTROUTING: Appends a rule to the POSTROUTING chain, which processes packets after routing decisions.
  • -p tcp: Matches packets using the TCP protocol.
  • --dport 443: Matches packets with destination port 443.
  • -j MASQUERADE: Jumps to the MASQUERADE target, which performs source NAT using the outgoing interface's IP.
ssh -L 443:localhost:443 user@172.16.0.10
  • ssh: The Secure Shell command for secure remote login and tunneling.
  • -L 443:localhost:443: Enables local port forwarding, binding local port 443 to port 443 on the remote host.
  • user@172.16.0.10: Specifies the username and IP address of the remote host to connect to.

20. External IPv6 to Internal IPv6 (Port Forwarding to Port 80)

This example routes traffic from external IPv6 (2001:db8::14:80) to internal IPv6 (fd00::4:80).

ip6tables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination [fd00::4]:80
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -p tcp: Matches packets using the TCP protocol.
  • --dport 80: Matches packets with destination port 80.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination [fd00::4]:80: Rewrites the destination to IPv6 address fd00::4 and port 80.
ssh -L 80:localhost:80 user@[fd00::4]
  • ssh: The Secure Shell command for secure remote login and tunneling.
  • -L 80:localhost:80: Enables local port forwarding, binding local port 80 to port 80 on the remote host.
  • user@[fd00::4]: Specifies the username and IPv6 address of the remote host to connect to.

21. Internal IPv4 to External IPv4 (Two-Hop Outbound)

This example routes outbound traffic from internal IPv4 (192.168.1.50) to Router1 (203.0.113.7), then to external IPv4 (198.51.100.25).

Router1:

iptables -A FORWARD -s 192.168.1.50 -j ACCEPT
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -s 192.168.1.50: Matches packets with the source IP address 192.168.1.50.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

Router2:

iptables -t nat -A POSTROUTING -d 198.51.100.25 -j MASQUERADE
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A POSTROUTING: Appends a rule to the POSTROUTING chain, which processes packets after routing decisions.
  • -d 198.51.100.25: Matches packets with the destination IP address 198.51.100.25.
  • -j MASQUERADE: Jumps to the MASQUERADE target, which performs source NAT using the outgoing interface's IP.

No SSH configuration is required for this example.

22. Internal IPv4 to External IPv6 (Port Forwarding to Port 443)

This example routes traffic from internal IPv4 (10.0.0.20:443) to external IPv6 (2001:db8::15:443).

ip6tables -t nat -A POSTROUTING -p tcp --dport 443 -j MASQUERADE
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A POSTROUTING: Appends a rule to the POSTROUTING chain, which processes packets after routing decisions.
  • -p tcp: Matches packets using the TCP protocol.
  • --dport 443: Matches packets with destination port 443.
  • -j MASQUERADE: Jumps to the MASQUERADE target, which performs source NAT using the outgoing interface's IP.
ssh -L 443:localhost:443 user@[2001:db8::15]
  • ssh: The Secure Shell command for secure remote login and tunneling.
  • -L 443:localhost:443: Enables local port forwarding, binding local port 443 to port 443 on the remote host.
  • user@[2001:db8::15]: Specifies the username and IPv6 address of the remote host to connect to.

23. Internal IPv6 to External IPv4 (Two-Hop)

This example routes traffic from internal IPv6 (fc00::5) to Router1 (2001:db8::16), then to external IPv4 (192.0.2.4).

Router1:

ip6tables -A FORWARD -s fc00::5 -j ACCEPT
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -s fc00::5: Matches packets with the source IPv6 address fc00::5.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

Router2:

iptables -t nat -A POSTROUTING -d 192.0.2.4 -j MASQUERADE
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A POSTROUTING: Appends a rule to the POSTROUTING chain, which processes packets after routing decisions.
  • -d 192.0.2.4: Matches packets with the destination IP address 192.0.2.4.
  • -j MASQUERADE: Jumps to the MASQUERADE target, which performs source NAT using the outgoing interface's IP.

No SSH configuration is required for this example.

24. Internal IPv6 to External IPv6 (Port Forwarding to Port 22)

This example routes traffic from internal IPv6 (fd00::5:22) to external IPv6 (2001:db8::17:22).

ip6tables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination [2001:db8::17]:22
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -p tcp: Matches packets using the TCP protocol.
  • --dport 22: Matches packets with destination port 22.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination [2001:db8::17]:22: Rewrites the destination to IPv6 address 2001:db8::17 and port 22.
ssh -p 22 user@[2001:db8::17]
  • ssh: The Secure Shell command for secure remote login and tunneling.
  • -p 22: Specifies the port to connect to on the remote host.
  • user@[2001:db8::17]: Specifies the username and IPv6 address of the remote host to connect to.

25. External IPv4 to Internal IPv4 (Two-Hop Port Forwarding to Port 53)

This example routes traffic from external IPv4 (203.0.113.8:53) to Router1 (198.51.100.30), then to internal IPv4 (192.168.1.60:53).

Router1:

iptables -A FORWARD -p udp --dport 53 -j ACCEPT
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -p udp: Matches packets using the UDP protocol.
  • --dport 53: Matches packets with destination port 53.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

Router2:

iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to-destination 192.168.1.60:53
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -p udp: Matches packets using the UDP protocol.
  • --dport 53: Matches packets with destination port 53.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination 192.168.1.60:53: Rewrites the destination to IP address 192.168.1.60 and port 53.
ssh -L 53:localhost:53 user@192.168.1.60
  • ssh: The Secure Shell command for secure remote login and tunneling.
  • -L 53:localhost:53: Enables local port forwarding, binding local port 53 to port 53 on the remote host.
  • user@192.168.1.60: Specifies the username and IP address of the remote host to connect to.

26. External IPv4 to Internal IPv6 (Single Hop)

This example routes traffic from external IPv4 (192.0.2.5) to internal IPv6 (2001:db8::18).

ip6tables -t nat -A PREROUTING -d 2001:db8::18 -j DNAT --to-destination [::ffff:192.0.2.5]
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -d 2001:db8::18: Matches packets with the destination IPv6 address 2001:db8::18.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination [::ffff:192.0.2.5]: Rewrites the destination to the IPv4-mapped IPv6 address representing 192.0.2.5.

No SSH configuration is required for this example.

27. External IPv6 to Internal IPv4 (Two-Hop)

This example routes traffic from external IPv6 (2001:db8::19) to Router1 (fc00::6), then to internal IPv4 (10.0.0.25).

Router1:

ip6tables -A FORWARD -d [::ffff:10.0.0.25] -j ACCEPT
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -d [::ffff:10.0.0.25]: Matches packets with the destination IPv4-mapped IPv6 address representing 10.0.0.25.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

Router2:

iptables -t nat -A PREROUTING -d 10.0.0.25 -j DNAT --to-destination 10.0.0.25
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -d 10.0.0.25: Matches packets with the destination IP address 10.0.0.25.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination 10.0.0.25: Rewrites the destination to the same IP address.

No SSH configuration is required for this example.

28. External IPv6 to Internal IPv6 (Port Forwarding to Port 443)

This example routes traffic from external IPv6 (2001:db8::20:443) to internal IPv6 (fd00::6:8443).

ip6tables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination [fd00::6]:8443
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -p tcp: Matches packets using the TCP protocol.
  • --dport 443: Matches packets with destination port 443.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination [fd00::6]:8443: Rewrites the destination to IPv6 address fd00::6 and port 8443.
ssh -L 443:localhost:8443 user@[fd00::6]
  • ssh: The Secure Shell command for secure remote login and tunneling.
  • -L 443:localhost:8443: Enables local port forwarding, binding local port 443 to port 8443 on the remote host.
  • user@[fd00::6]: Specifies the username and IPv6 address of the remote host to connect to.

29. Internal IPv4 to External IPv4 (Outbound Port 80)

This example routes outbound traffic from internal IPv4 (192.168.1.70:80) to external IPv4 (203.0.113.9:80).

iptables -t nat -A POSTROUTING -p tcp --dport 80 -j MASQUERADE
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A POSTROUTING: Appends a rule to the POSTROUTING chain, which processes packets after routing decisions.
  • -p tcp: Matches packets using the TCP protocol.
  • --dport 80: Matches packets with destination port 80.
  • -j MASQUERADE: Jumps to the MASQUERADE target, which performs source NAT using the outgoing interface's IP.

No SSH configuration is required for this example.

30. Internal IPv4 to External IPv6 (Two-Hop)

This example routes traffic from internal IPv4 (172.16.0.15) to Router1 (198.51.100.35), then to external IPv6 (2001:db8::21).

Router1:

iptables -A FORWARD -s 172.16.0.15 -j ACCEPT
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -s 172.16.0.15: Matches packets with the source IP address 172.16.0.15.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

Router2:

ip6tables -t nat -A POSTROUTING -d 2001:db8::21 -j MASQUERADE
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A POSTROUTING: Appends a rule to the POSTROUTING chain, which processes packets after routing decisions.
  • -d 2001:db8::21: Matches packets with the destination IPv6 address 2001:db8::21.
  • -j MASQUERADE: Jumps to the MASQUERADE target, which performs source NAT using the outgoing interface's IP.

No SSH configuration is required for this example.

31. Internal IPv6 to External IPv4 (Port Forwarding to Port 53)

This example routes traffic from internal IPv6 (fc00::7:53) to external IPv4 (192.0.2.6:53).

iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to-destination 192.0.2.6:53
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -p udp: Matches packets using the UDP protocol.
  • --dport 53: Matches packets with destination port 53.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination 192.0.2.6:53: Rewrites the destination to IP address 192.0.2.6 and port 53.
ssh -L 53:localhost:53 user@192.0.2.6
  • ssh: The Secure Shell command for secure remote login and tunneling.
  • -L 53:localhost:53: Enables local port forwarding, binding local port 53 to port 53 on the remote host.
  • user@192.0.2.6: Specifies the username and IP address of the remote host to connect to.

32. Internal IPv6 to External IPv6 (Two-Hop)

This example routes traffic from internal IPv6 (fd00::7) to Router1 (2001:db8::22), then to external IPv6 (2001:db8::23).

Router1:

ip6tables -A FORWARD -s fd00::7 -j ACCEPT
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -s fd00::7: Matches packets with the source IPv6 address fd00::7.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

Router2:

ip6tables -A FORWARD -d 2001:db8::23 -j ACCEPT
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -d 2001:db8::23: Matches packets with the destination IPv6 address 2001:db8::23.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

No SSH configuration is required for this example.

33. External IPv4 to Internal IPv4 (Single Hop Port 443)

This example routes traffic from external IPv4 (198.51.100.40:443) to internal IPv4 (192.168.1.80:443).

iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.1.80:443
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -p tcp: Matches packets using the TCP protocol.
  • --dport 443: Matches packets with destination port 443.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination 192.168.1.80:443: Rewrites the destination to IP address 192.168.1.80 and port 443.
ssh -L 443:localhost:443 user@192.168.1.80
  • ssh: The Secure Shell command for secure remote login and tunneling.
  • -L 443:localhost:443: Enables local port forwarding, binding local port 443 to port 443 on the remote host.
  • user@192.168.1.80: Specifies the username and IP address of the remote host to connect to.

34. External IPv4 to Internal IPv6 (Two-Hop Port 22)

This example routes traffic from external IPv4 (203.0.113.10:22) to Router1 (192.0.2.7), then to internal IPv6 (2001:db8::24:22).

Router1:

iptables -A FORWARD -p tcp --dport 22 -j ACCEPT
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -p tcp: Matches packets using the TCP protocol.
  • --dport 22: Matches packets with destination port 22.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

Router2:

ip6tables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination [2001:db8::24]:22
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -p tcp: Matches packets using the TCP protocol.
  • --dport 22: Matches packets with destination port 22.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination [2001:db8::24]:22: Rewrites the destination to IPv6 address 2001:db8::24 and port 22.
ssh -p 22 user@[2001:db8::24]
  • ssh: The Secure Shell command for secure remote login and tunneling.
  • -p 22: Specifies the port to connect to on the remote host.
  • user@[2001:db8::24]: Specifies the username and IPv6 address of the remote host to connect to.

35. External IPv6 to Internal IPv4 (Single Hop)

This example routes traffic from external IPv6 (2001:db8::25) to internal IPv4 (172.16.0.20).

iptables -t nat -A PREROUTING -d 172.16.0.20 -j DNAT --to-destination [::ffff:2001:db8::25]
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -d 172.16.0.20: Matches packets with the destination IP address 172.16.0.20.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination [::ffff:2001:db8::25]: Rewrites the destination to the IPv6 address 2001:db8::25.

No SSH configuration is required for this example.

36. External IPv6 to Internal IPv6 (Two-Hop Port 80)

This example routes traffic from external IPv6 (2001:db8::26:80) to Router1 (fc00::8), then to internal IPv6 (fd00::8:80).

Router1:

ip6tables -A FORWARD -p tcp --dport 80 -j ACCEPT
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -p tcp: Matches packets using the TCP protocol.
  • --dport 80: Matches packets with destination port 80.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

Router2:

ip6tables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination [fd00::8]:80
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -p tcp: Matches packets using the TCP protocol.
  • --dport 80: Matches packets with destination port 80.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination [fd00::8]:80: Rewrites the destination to IPv6 address fd00::8 and port 80.
ssh -L 80:localhost:80 user@[fd00::8]
  • ssh: The Secure Shell command for secure remote login and tunneling.
  • -L 80:localhost:80: Enables local port forwarding, binding local port 80 to port 80 on the remote host.
  • user@[fd00::8]: Specifies the username and IPv6 address of the remote host to connect to.

37. Internal IPv4 to External IPv4 (Two-Hop Port 22)

This example routes outbound traffic from internal IPv4 (192.168.1.90:22) to Router1 (203.0.113.11), then to external IPv4 (198.51.100.45:22).

Router1:

iptables -A FORWARD -p tcp --dport 22 -j ACCEPT
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -p tcp: Matches packets using the TCP protocol.
  • --dport 22: Matches packets with destination port 22.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

Router2:

iptables -t nat -A POSTROUTING -p tcp --dport 22 -j MASQUERADE
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A POSTROUTING: Appends a rule to the POSTROUTING chain, which processes packets after routing decisions.
  • -p tcp: Matches packets using the TCP protocol.
  • --dport 22: Matches packets with destination port 22.
  • -j MASQUERADE: Jumps to the MASQUERADE target, which performs source NAT using the outgoing interface's IP.
ssh -p 22 user@198.51.100.45
  • ssh: The Secure Shell command for secure remote login and tunneling.
  • -p 22: Specifies the port to connect to on the remote host.
  • user@198.51.100.45: Specifies the username and IP address of the remote host to connect to.

38. Internal IPv4 to External IPv6 (Single Hop)

This example routes traffic from internal IPv4 (10.0.0.30) to external IPv6 (2001:db8::27).

ip6tables -A FORWARD -s [::ffff:10.0.0.30] -d 2001:db8::27 -j ACCEPT
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -s [::ffff:10.0.0.30]: Matches packets with the source IPv4-mapped IPv6 address representing 10.0.0.30.
  • -d 2001:db8::27: Matches packets with the destination IPv6 address 2001:db8::27.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

No SSH configuration is required for this example.

39. Internal IPv6 to External IPv4 (Two-Hop Port 80)

This example routes traffic from internal IPv6 (fc00::9:80) to Router1 (2001:db8::28), then to external IPv4 (203.0.113.12:80).

Router1:

ip6tables -A FORWARD -p tcp --dport 80 -j ACCEPT
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -p tcp: Matches packets using the TCP protocol.
  • --dport 80: Matches packets with destination port 80.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

Router2:

iptables -t nat -A POSTROUTING -p tcp --dport 80 -j MASQUERADE
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A POSTROUTING: Appends a rule to the POSTROUTING chain, which processes packets after routing decisions.
  • -p tcp: Matches packets using the TCP protocol.
  • --dport 80: Matches packets with destination port 80.
  • -j MASQUERADE: Jumps to the MASQUERADE target, which performs source NAT using the outgoing interface's IP.
ssh -L 80:localhost:80 user@203.0.113.12
  • ssh: The Secure Shell command for secure remote login and tunneling.
  • -L 80:localhost:80: Enables local port forwarding, binding local port 80 to port 80 on the remote host.
  • user@203.0.113.12: Specifies the username and IP address of the remote host to connect to.

40. Internal IPv6 to External IPv6 (Single Hop Port 53)

This example routes traffic from internal IPv6 (fd00::9:53) to external IPv6 (2001:db8::29:53).

ip6tables -A FORWARD -p udp --dport 53 -s fd00::9 -d 2001:db8::29 -j ACCEPT
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -p udp: Matches packets using the UDP protocol.
  • --dport 53: Matches packets with destination port 53.
  • -s fd00::9: Matches packets with the source IPv6 address fd00::9.
  • -d 2001:db8::29: Matches packets with the destination IPv6 address 2001:db8::29.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

No SSH configuration is required for this example.

41. External IPv4 to Internal IPv4 (Two-Hop)

This example routes traffic from external IPv4 (198.51.100.50) to Router1 (192.0.2.8), then to internal IPv4 (192.168.1.100).

Router1:

iptables -t nat -A PREROUTING -d 192.0.2.8 -j DNAT --to-destination 192.168.1.100
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -d 192.0.2.8: Matches packets with the destination IP address 192.0.2.8.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination 192.168.1.100: Rewrites the destination IP address to 192.168.1.100.

Router2:

iptables -A FORWARD -d 192.168.1.100 -j ACCEPT
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -d 192.168.1.100: Matches packets with the destination IP address 192.168.1.100.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

No SSH configuration is required for this example.

42. External IPv4 to Internal IPv6 (Port Forwarding to Port 53)

This example routes traffic from external IPv4 (203.0.113.13:53) to internal IPv6 (2001:db8::30:53).

ip6tables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to-destination [2001:db8::30]:53
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -p udp: Matches packets using the UDP protocol.
  • --dport 53: Matches packets with destination port 53.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination [2001:db8::30]:53: Rewrites the destination to IPv6 address 2001:db8::30 and port 53.
ssh -L 53:localhost:53 user@[2001:db8::30]
  • ssh: The Secure Shell command for secure remote login and tunneling.
  • -L 53:localhost:53: Enables local port forwarding, binding local port 53 to port 53 on the remote host.
  • user@[2001:db8::30]: Specifies the username and IPv6 address of the remote host to connect to.

43. External IPv6 to Internal IPv4 (Two-Hop Port 443)

This example routes traffic from external IPv6 (2001:db8::31:443) to Router1 (fd00::10), then to internal IPv4 (10.0.0.35:443).

Router1:

ip6tables -A FORWARD -p tcp --dport 443 -j ACCEPT
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -p tcp: Matches packets using the TCP protocol.
  • --dport 443: Matches packets with destination port 443.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

Router2:

iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.0.0.35:443
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -p tcp: Matches packets using the TCP protocol.
  • --dport 443: Matches packets with destination port 443.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination 10.0.0.35:443: Rewrites the destination to IP address 10.0.0.35 and port 443.
ssh -L 443:localhost:443 user@10.0.0.35
  • ssh: The Secure Shell command for secure remote login and tunneling.
  • -L 443:localhost:443: Enables local port forwarding, binding local port 443 to port 443 on the remote host.
  • user@10.0.0.35: Specifies the username and IP address of the remote host to connect to.

44. External IPv6 to Internal IPv6 (Single Hop)

This example routes traffic from external IPv6 (2001:db8::32) to internal IPv6 (fc00::10).

ip6tables -A FORWARD -s 2001:db8::32 -d fc00::10 -j ACCEPT
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -s 2001:db8::32: Matches packets with the source IPv6 address 2001:db8::32.
  • -d fc00::10: Matches packets with the destination IPv6 address fc00::10.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

No SSH configuration is required for this example.

45. Internal IPv4 to External IPv4 (Single Hop Outbound)

This example routes outbound traffic from internal IPv4 (192.168.1.110) to external IPv4 (192.0.2.9).

iptables -t nat -A POSTROUTING -s 192.168.1.110 -j MASQUERADE
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A POSTROUTING: Appends a rule to the POSTROUTING chain, which processes packets after routing decisions.
  • -s 192.168.1.110: Matches packets with the source IP address 192.168.1.110.
  • -j MASQUERADE: Jumps to the MASQUERADE target, which performs source NAT using the outgoing interface's IP.

No SSH configuration is required for this example.

46. Internal IPv4 to External IPv6 (Two-Hop Port 53)

This example routes traffic from internal IPv4 (172.16.0.25:53) to Router1 (198.51.100.55), then to external IPv6 (2001:db8::33:53).

Router1:

iptables -A FORWARD -p udp --dport 53 -j ACCEPT
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -p udp: Matches packets using the UDP protocol.
  • --dport 53: Matches packets with destination port 53.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

Router2:

ip6tables -t nat -A POSTROUTING -p udp --dport 53 -j MASQUERADE
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A POSTROUTING: Appends a rule to the POSTROUTING chain, which processes packets after routing decisions.
  • -p udp: Matches packets using the UDP protocol.
  • --dport 53: Matches packets with destination port 53.
  • -j MASQUERADE: Jumps to the MASQUERADE target, which performs source NAT using the outgoing interface's IP.
ssh -L 53:localhost:53 user@[2001:db8::33]
  • ssh: The Secure Shell command for secure remote login and tunneling.
  • -L 53:localhost:53: Enables local port forwarding, binding local port 53 to port 53 on the remote host.
  • user@[2001:db8::33]: Specifies the username and IPv6 address of the remote host to connect to.

47. Internal IPv6 to External IPv4 (Single Hop)

This example routes traffic from internal IPv6 (fd00::11) to external IPv4 (203.0.113.14).

iptables -t nat -A POSTROUTING -s [::ffff:fd00::11] -d 203.0.113.14 -j MASQUERADE
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A POSTROUTING: Appends a rule to the POSTROUTING chain, which processes packets after routing decisions.
  • -s [::ffff:fd00::11]: Matches packets with the source IPv6 address fd00::11 (IPv4-mapped).
  • -d 203.0.113.14: Matches packets with the destination IP address 203.0.113.14.
  • -j MASQUERADE: Jumps to the MASQUERADE target, which performs source NAT using the outgoing interface's IP.

No SSH configuration is required for this example.

48. Internal IPv6 to External IPv6 (Two-Hop Port 443)

This example routes traffic from internal IPv6 (fc00::11:443) to Router1 (2001:db8::34), then to external IPv6 (2001:db8::35:443).

Router1:

ip6tables -A FORWARD -p tcp --dport 443 -j ACCEPT
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -p tcp: Matches packets using the TCP protocol.
  • --dport 443: Matches packets with destination port 443.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

Router2:

ip6tables -t nat -A POSTROUTING -p tcp --dport 443 -j MASQUERADE
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A POSTROUTING: Appends a rule to the POSTROUTING chain, which processes packets after routing decisions.
  • -p tcp: Matches packets using the TCP protocol.
  • --dport 443: Matches packets with destination port 443.
  • -j MASQUERADE: Jumps to the MASQUERADE target, which performs source NAT using the outgoing interface's IP.
ssh -L 443:localhost:443 user@[2001:db8::35]
  • ssh: The Secure Shell command for secure remote login and tunneling.
  • -L 443:localhost:443: Enables local port forwarding, binding local port 443 to port 443 on the remote host.
  • user@[2001:db8::35]: Specifies the username and IPv6 address of the remote host to connect to.

49. External IPv4 to Internal IPv4 (Port Forwarding to Port 22)

This example routes traffic from external IPv4 (192.0.2.10:22) to internal IPv4 (10.0.0.40:22).

iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 10.0.0.40:22
  • iptables: The command-line utility for configuring IP packet filter rules in the Linux kernel.
  • -t nat: Specifies the NAT table, which handles network address translation.
  • -A PREROUTING: Appends a rule to the PREROUTING chain, which processes packets before routing decisions.
  • -p tcp: Matches packets using the TCP protocol.
  • --dport 22: Matches packets with destination port 22.
  • -j DNAT: Jumps to the DNAT target, which performs Destination Network Address Translation.
  • --to-destination 10.0.0.40:22: Rewrites the destination to IP address 10.0.0.40 and port 22.
ssh -p 22 user@10.0.0.40
  • ssh: The Secure Shell command for secure remote login and tunneling.
  • -p 22: Specifies the port to connect to on the remote host.
  • user@10.0.0.40: Specifies the username and IP address of the remote host to connect to.

50. External IPv6 to Internal IPv6 (Two-Hop)

This example routes traffic from external IPv6 (2001:db8::36) to Router1 (fd00::12), then to internal IPv6 (fc00::12).

Router1:

ip6tables -A FORWARD -s 2001:db8::36 -j ACCEPT
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -s 2001:db8::36: Matches packets with the source IPv6 address 2001:db8::36.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

Router2:

ip6tables -A FORWARD -d fc00::12 -j ACCEPT
  • ip6tables: The command-line utility for configuring IPv6 packet filter rules in the Linux kernel.
  • -A FORWARD: Appends a rule to the FORWARD chain, which processes packets being routed through the host.
  • -d fc00::12: Matches packets with the destination IPv6 address fc00::12.
  • -j ACCEPT: Jumps to the ACCEPT target, allowing the packet to proceed.

No SSH configuration is required for this example.

Linux Rocks Every Day