the last part is the easy part. iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE this will mean any computer from 192.168.0.0/24 that is trying to access something that is behind eth0 (presumed to be the internet connection interface) will be masqueraded. now all computers can get online. to forward for example port 80 to a webserver which we will presume is 192.168.0.5: iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --destination-port 80 -j DNAT --to-destination 192.168.0.5 now any connection to port 80 of 1.2.3.4 (presumed to be your public IP address) will be redirected to 192.168.0.5. normally you would also need to remap the address on the way out: iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.5 --source-port 80 -j SNAT --to-source 1.2.3.4 but i dont think you will need that since you are already masquerading. the same idea works for the videoconferencing thing. you can use for example --destination-port 1000:10000 to mean all ports between 1000 and 10000 inclusive. you can also just say 1000: to mean all ports from 1000 up. im kinda new to nat, but i think this will work. > I'm trying to set up a home network and I have a problem that I hope I > can > get some help with by all you competent subscribers. My network will > have > one computer as a combined router/firewall running SuSE Linux 8.0 > (Kernel > 2.4.18). The internal network will be a mix of Windows and Linux > computers. > One of the computers has a webbcam connected to it, which is used for > video > conferences with my friends. The conference software is MSN Messenger, > which > have a pretty peculiar network protocol since it opens dynamically > allocated > ports, above port 1000, in both directions. My idea is to solve this > by > routing all incoming requests on ports above port 1000 to the fixed > internal > address of the webcam computer. > > The setup is complicated by the fact that I would like to have a web > server > etc. installed on the route/firewall server where I can publish my own > pages, i.e. it will service some of the ports below port 1000. > > If it's at all possible I would also like to be able to connect > additional > computers to the internal network which have Internet access using NAT > rules > set up in the firewall and have their internal IP addresses assigned > via > DHCP. > > The setup would have been rather simple if it wasn't for the fact that > I > have only one public IP address at my disposal. > > Kind regards, Ola Theander > - > : send the line "unsubscribe linux-net" > in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
