On Thursday 27 November 2003 11:07 am, sc2@xxxxxx wrote:
> Thx for answer antony
> here the complet rules list, sorry for this xx.xx.xx it was stupid from me
> (full range)...
> Ip : xx.xxx.24.51 , should be fw to ip: xx.xxx.24.58
> (only for 1 port)
> thank you
>
> echo "1" > /proc/sys/net/ipv4/ip_forward
> iptables -F FORWARD
> iptables -t nat -F
> iptables -A FORWARD -j LOG
> iptables -A FORWARD -p udp -d xx.xxx.24.58 --dport xxx21 -j ACCEPT
> iptables -t nat -A PREROUTING -p udp -d xx.xxx.24.51 --dport xxx21 -j
> DNAT --to xx.xxx.24.58:xx021
>
> iptables -A FORWARD -p tcp -d xx.xxx.24.58 --dport xxx21 -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp -d xx.xxx.24.51 --dport xxx21 -j
> DNAT --to xx.xxx.xx.58:xxx21
The only thing I can see missing here is a rule to allow the replies back
through the Firewall in the other direction (the FORWARD rules you have shown
only allow the first packet of the initial connection).
So "iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" might
be a good idea.
However, the fact that the original address, and the translated address, are
both in the same network range, makes me ask "is the client which is trying
to access xx.xxx.25.51 on the other side of the Firewall (ie the client must
not be on the same subnet as the server xx.xxx.25.58)?"
My final question is: what is the actual port number (or alternatively, what
is the service you are trying to NAT)? Are you sure it is a protocol which
doesn't mind being NATted (some do, some don't, some need helpers)?
Antony.
--
Abandon hope, all ye who enter here.
You'll feel much better about things once you do.
Please reply to the list;
please don't CC me.
