On Thursday 27 February 2003 01:14 pm, PiSiC... wrote: > First of all thanks for help ... > but i'm kinda new with iptables and i want to show you the big > picture : > > - i heard something about static NAT and dynamic NAT (not source or > destination NAT) and i'm not sure i fully understand what is the > aplicability on my situation. Static is a static IP, Dynamic with a Dynamic IP. Source NAT is where you change the source IP on an outbound packet so it appears to originate at the firewall, instead of a private IP 'behind' it. Destination NAT is where you change the destination of an (usually) incoming packet to send it elsewhere, usually used to send traffic coming to a public IP to a machine 'behind' the firewall with a private IP address. For SNAT (Source NAT) netfilter offers two flavors - SNAT uses a single static IP, and MASQUERADE checks the IP of the interface to make sure it uses the correct IP in a Dynamic IP setup. > the situation is this : > > i have a radio link with only one staticaly allocated IP > (aaa.bbb.ccc.ddd) which is connected on my linux machine on eth1 > eth0 on the same machine is connected on LAN. > I have up and running Webserver,SMTP,FTP and POP3. > I want to run now 2 webservers one on external and one on > internal(that is easy with binding on their interfaces). > But i want also to allow access from the world to a third webserver > which runs on 192.168.13.199:80 which will be accesibile on port 33333 > on my external ip. iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 33333 -d DNAT --to 192.168.13.199:80 Along with FORWARD rules to allow port 80 traffic going to 192.168.13.199 and to allow return traffic. Likely return traffic will already get through if your iptables box is allowing internet access from machines on the LAN right now, but this would do it if not: iptables -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT The inbound would be allowed with: iptables -A FORWARD -d 192.168.13.199 -p tcp --dport 80 -j ACCEPT j
