If you can connect from your local machine to your program, can you add: iptables -t nat -A PREROUTING -j DNAT -i <external_ip> -p tcp --dport 5999 --to-destination <firewall_internal_ip> iptables -t nat -A POSTROUTING -j SNAT -i <external_ip> -p tcp --dport 5999 --to-source <firewall_internal_ip> Although, I am not 100% sure that the firewall will reach prerouting if it is internally redirected to lo... Barring that, you may need to setup a raw proxy process that just forwards the packets from port abc to 5999. In that case, you would have a program listening on a predefined port; let's assume the port is 5998 for this example. To wire the iptables to connect to the proxy program, connect: iptables -t nat -A PREROUTING -j DNAT -i <external_ip> -p tcp --dport 5999 --to-destination <external_ip>:5998 myproxyprogram --lhost <external_ip> --lport 5998 --dhost <external_ip> --dport 5999 Of course this and all strategies will blow up if this authentication daemon sends ip/port numbers as a check on the integrity of the connection... I hate those programs!!! -----Original Message----- From: mick [mailto:mick@xxxxxxxxxxxxxxxxxx] Sent: Wednesday, June 18, 2003 9:54 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Ip handling I have a delema and i'm not sure how to handle it. I run a login server on port 5999 that does authentication based on IP address. So when someone with a dynamic internet connection tries to login with a differnt IP then the registered one, The login server rejects them. I am not good enough with Iptables to know if it is possible or not but is there some way to make it so all connections to that PORT(5999) appear to come from my Local network 192.168.0 The other method i thought about was running my authentication/login server on another machien behind the firewall. but i think i would have to make all packets coming from the inter net to that port appear to come from the local network prior to forwarding them to the Other server. both of which i am unsure how to accomplish. The Authentication server is a binary that is not linux/unix nativly so at this time i can not recode it and remove the IP matching function. Any help with this problem is greatly appreciated. Mick Does anyone know of a way to make say all connections from the outside going to my outside IP address Appear to be coming from my local lan of 192.168.0.1
