So ... for every nat I have going from my internal network on a specific
port, destined to an external IP on a different port I need to have
something like this ?
$IPT -t nat -A PREROUTING -d <firewall_ip> --dport 15000 -p tcp -i eth0 \
-j DNAT --to-destination <some_internet_ip> --dport 2000
$IPT -t nat -A POSTROUTING -d <some_internet_ip> --dport 2000 -p tcp -o
eth0 \
-j SNAT --to-source <firewall_ip>
Is there a better way ??? I have about 20 routes to add .....
Thank you for your help.
Peter
----- Original Message -----
From: "Alistair Tonner" <Alistair@xxxxxxxxxx>
To: <netfilter@xxxxxxxxxxxxxxxxxxx>
Sent: Tuesday, June 01, 2004 12:16 PM
Subject: Re: to snat or to dnat .. that is the question
On June 1, 2004 10:51 am, Peter Marshall wrote:
> yes, my firewall is the default route on all internal boxes
>
> ----- Original Message -----
> From: "Piszcz, Justin Michael" <justin.piszcz@xxxxxxxxxxxx>
> To: "Peter Marshall" <peter.marshall@xxxxxxxxx>; "netfilter"
> <netfilter@xxxxxxxxxxxxxxxxxxx>
> Sent: Tuesday, June 01, 2004 11:42 AM
> Subject: RE: to snat or to dnat .. that is the question
>
>
> If the box 192.168.0.20 does not have the firewall's IP as its default
> route, then it will not work correctly (DNAT), I am not sure about SNAT.
>
>
> -----Original Message-----
> From: netfilter-admin@xxxxxxxxxxxxxxxxxxx
> [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Peter Marshall
> Sent: Tuesday, June 01, 2004 10:30 AM
> To: netfilter
> Subject: to snat or to dnat .. that is the question
>
> Hi again.
>
> I am at a bit of a quandary, and am not sure what to do.
>
> Let the external interface on my firewall be 100.100.100.100
> I have an internal box; 192.168.0.20 that needs to connect to an
> external
> box 200.200.200.200 on port 2000.
>
> I want the internal box to connect to hit my firewall on a different
> port ..
> say 15000
>
> so basically
>
> start: .... -s 192.168.0.20 -d 200.200.200.200 --dport 15000
> after firewall -s 100.100.100.100 -d 200.200.200.200 --dport 2000
>
> How can I do this ?
>
> I started out with:
>
> $IPT -t nat -A POSTROUTING -d 200.200.200.200 --dport 15000 -p tcp -i
> eth0 \
> -j SNAT --to-source 100.100.100.100
>
> But this does not change the destination port (obviously). I thought
> about
> doing the following
>
> $IPT -t nat -A PREROUTING -d 100.100.100.100 --dport 15000 -p tcp -i
> eth0 \
> -j DNAT --to-destination 200.200.200.200 --dport 2000
> However, I don't think that this will change my source address. Also,
> will
> this even forwarded the packets ? They would be coming on the input
> chain
> would they not ?
Since you've done this in PREROUTING no, they wont hit the INPUT chain.
This is where to start.
>
>
You need then to have a FORWARD rule to allow the packets, and
ESTABLISHED,RELATED, and then in POSTROUTING add a rule to SNAT those
packets
destined to 200.200.200.200:2000 ( you could, if need be, add the source to
the rule as well)
> Thank you for the help.
> Peter Marshall
>
>
> Peter Marshall, BCS
> Network Administrator, CARIS
> 115 Waggoners Lane, Fredericton NB, E3B 2L4 CANADA
Alistair Tonner
-- from slightly west of there, on the last lake
T.O.
