Hi Urgrue. Thanks for your answer. This seems like a solution. One thing though about the web server. The web server and the firewall/router is the same computer. As I understand it from your suggestion I should set up a virtual network card on the server listening to an internal address and route port 80 traffic to this address? Can't I just skip routing for port 80 and have it listening on the public address? Kind regards, Ola Theander > -----Original Message----- > From: urgrue [mailto:urgrue@tumsan.fi] > Sent: den 21 maj 2002 22:23 > To: Ola Theander > Cc: 'linux-net@vger.kernel.org' > Subject: Re: HowTo: Route to different internal addresses, > depending on port? > > > the last part is the easy part. > iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j > MASQUERADE this will mean any computer from 192.168.0.0/24 > that is trying to > access something > that is behind eth0 (presumed to be the internet connection > interface) > will be masqueraded. > now all computers can get online. > to forward for example port 80 to a webserver which we will > presume is > 192.168.0.5: > iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --destination-port 80 > -j DNAT --to-destination 192.168.0.5 > now any connection to port 80 of 1.2.3.4 (presumed to be your > public IP > address) will be redirected to 192.168.0.5. > normally you would also need to remap the address on the way > out: iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.5 > --source-port 80 > -j SNAT --to-source 1.2.3.4 > but i dont think you will need that since you are already > masquerading. > > the same idea works for the videoconferencing thing. you can use for > example --destination-port 1000:10000 to mean all ports between 1000 > and 10000 inclusive. you can also just say 1000: to mean all > ports from > 1000 up. > > im kinda new to nat, but i think this will work. > > > I'm trying to set up a home network and I have a problem > that I hope I > > can get some help with by all you competent subscribers. My network > > will have > > one computer as a combined router/firewall running SuSE Linux 8.0 > > (Kernel > > 2.4.18). The internal network will be a mix of Windows and Linux > > computers. > > One of the computers has a webbcam connected to it, which > is used for > > video > > conferences with my friends. The conference software is MSN > Messenger, > > which > > have a pretty peculiar network protocol since it opens dynamically > > allocated > > ports, above port 1000, in both directions. My idea is to solve this > > by > > routing all incoming requests on ports above port 1000 to the fixed > > internal > > address of the webcam computer. > > > > The setup is complicated by the fact that I would like to > have a web > > server etc. installed on the route/firewall server where I > can publish > > my own pages, i.e. it will service some of the ports below > port 1000. > > > > If it's at all possible I would also like to be able to connect > > additional computers to the internal network which have Internet > > access using NAT rules > > set up in the firewall and have their internal IP addresses assigned > > via > > DHCP. > > > > The setup would have been rather simple if it wasn't for > the fact that > > I have only one public IP address at my disposal. > > > > Kind regards, Ola Theander > > - > > : send the line "unsubscribe > linux-net" > > in the body of a message to majordomo@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
