On Wed, 2007-11-07 at 09:26 -0500, Cirroc wrote:
Essentially, since all the traffic passes through the server, I can use
iptables to restict the traffic to only the few known-good ports that
the application needs.
I do similar things here, and make good use of the nat table in the
kernel netfilter to rewrite both the destination (DNAT) and source
(SNAT) addresses as necessary so that packets go where I want them and
appear to come from wherever I say they do in the nat table.
Without addressing your problem specifically, my approach would be to
explore creative address rewriting :-) You can get _very_ creative with
it, and if you do it right, it'll just work.
I'd love any help or thoughts in setting this up.. It feels so close,
yet so frustratingly far away.
I know the feeling well .... ;-)
Another solution I have used for inflexible legacy systems is to take
advantage of SSH port forwarding. Have a system,
<fake_target_host>, SSH to itself with port forwarding enabled.
eg ssh -L <port>:<real_target_host>:<port>