On June 1, 2004 10:51 am, Peter Marshall wrote: > yes, my firewall is the default route on all internal boxes > > ----- Original Message ----- > From: "Piszcz, Justin Michael" <justin.piszcz@xxxxxxxxxxxx> > To: "Peter Marshall" <peter.marshall@xxxxxxxxx>; "netfilter" > <netfilter@xxxxxxxxxxxxxxxxxxx> > Sent: Tuesday, June 01, 2004 11:42 AM > Subject: RE: to snat or to dnat .. that is the question > > > If the box 192.168.0.20 does not have the firewall's IP as its default > route, then it will not work correctly (DNAT), I am not sure about SNAT. > > > -----Original Message----- > From: netfilter-admin@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Peter Marshall > Sent: Tuesday, June 01, 2004 10:30 AM > To: netfilter > Subject: to snat or to dnat .. that is the question > > Hi again. > > I am at a bit of a quandary, and am not sure what to do. > > Let the external interface on my firewall be 100.100.100.100 > I have an internal box; 192.168.0.20 that needs to connect to an > external > box 200.200.200.200 on port 2000. > > I want the internal box to connect to hit my firewall on a different > port .. > say 15000 > > so basically > > start: .... -s 192.168.0.20 -d 200.200.200.200 --dport 15000 > after firewall -s 100.100.100.100 -d 200.200.200.200 --dport 2000 > > How can I do this ? > > I started out with: > > $IPT -t nat -A POSTROUTING -d 200.200.200.200 --dport 15000 -p tcp -i > eth0 \ > -j SNAT --to-source 100.100.100.100 > > But this does not change the destination port (obviously). I thought > about > doing the following > > $IPT -t nat -A PREROUTING -d 100.100.100.100 --dport 15000 -p tcp -i > eth0 \ > -j DNAT --to-destination 200.200.200.200 --dport 2000 > However, I don't think that this will change my source address. Also, > will > this even forwarded the packets ? They would be coming on the input > chain > would they not ? Since you've done this in PREROUTING no, they wont hit the INPUT chain. This is where to start. > > You need then to have a FORWARD rule to allow the packets, and ESTABLISHED,RELATED, and then in POSTROUTING add a rule to SNAT those packets destined to 200.200.200.200:2000 ( you could, if need be, add the source to the rule as well) > Thank you for the help. > Peter Marshall > > > Peter Marshall, BCS > Network Administrator, CARIS > 115 Waggoners Lane, Fredericton NB, E3B 2L4 CANADA Alistair Tonner -- from slightly west of there, on the last lake T.O.
