On Wed, 2005-09-28 at 13:09, James Pifer wrote: > > This need to happen in the nat table: > > > > iptables -t nat -A PREROUTING -p tcp -d 10.10.60.3 --dport 5900 -j DNAT > > --to-destination 10.10.60.4:5900 > > > > Make sure 10.10.60.4 is using 10.10.60.3 as it's router for this traffic. > > > > Kirk > > I can't make 10.10.60.3 use 10.10.60.4 as the router. Other way around - the actual destination must route back through the one that did the DNAT. The packet has to come back through the same machine so the reverse nat is applied to the returning packets on the connection. Otherwise the originating client will see packets coming back from 10.10.60.4 and not associate it with the connection it is trying to make to 10.10.60.3. > If I loaded a port forwarding application on 10.10.60.3 and had it > forward ports to .4 for port 5900 I would not have this requirement. > > Can't iptables to the same thing somehow? You have to source nat as well if the packets wouldn't otherwise route back through the host doing DNAT. > I have a java application that would do the port forwarding I need, > EXCEPT, that application will not let me restrict by ip address. BUT, > now that I think about it, I could run this java application to forward > the ports and just use iptables to make that port only available to > certain IPs. It would be accomplishing the same thing I suppose. > > Would still rather do it with iptables since that would be one less > point of failure. Note that xinetd can also proxy any tcp connection with it's 'redirect' option, and the destination server will see the xinetd host as the source and thus return packets without concerns about routing to the client. -- Les Mikesell lesmikesell@xxxxxxxxx