Thanks, for dport would I have to do a couple of rules for the different ports? For example: iptables -A PREROUTING -t nat -s 172.16.0.1 -d 172.16.0.2 -p tcp --dport 1433 -j DNAT --to 192.168.0.1 iptables -A FORWARD -s 172.16.0.1 -d 192.168.0.1 -p tcp --dport 1433 -j ACCEPT and iptables -A PREROUTING -t nat -s 172.16.0.1 -d 172.16.0.2 -p tcp --dport 5000:5025 -j DNAT --to 192.168.0.1 iptables -A FORWARD -s 172.16.0.1 -d 192.168.0.1 -p tcp --dport 5000:5025 -j ACCEPT Or would it be possible to do multiple ports in the two rules? For example saying I want to forward on ports 1433 and ports 5000 to 5025 etc. Thanks Mark -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx]On Behalf Of Antony Stone Sent: 25 June 2004 10:52 To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: Redirecting from one ip to another problem On Friday 25 June 2004 10:39 am, Mark C. Casey wrote: > The address of the firewall/gateway on eth1 is 172.16.0.254. > The 172.16.0.2 will only exist so the webserver can see 192.168.0.1 as > 172.16.0.2. Ideally i'd want it working on a number of ports (or just > redirect the ip). > > For example 1433/tcp, 5000-5025/tcp etc. In that case adjust the "--dport 3306" which I suggested earlier (assuming that you just needed MySQL access). > How do I do the "If it's imaginary, you need to apply that address to eth1 > on the firewall, then do:"? ip addr add 172.16.0.2 dev eth1 Regards, Antony. > -----Original Message----- > From: netfilter-admin@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx]On Behalf Of Antony Stone > Sent: 25 June 2004 10:21 > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: Redirecting from one ip to another problem > > On Friday 25 June 2004 9:31 am, Mark C. Casey wrote: > > I'm in the process of replacing the current firewall with an IPCop > > machine, however i'm needing to replicate one rule that is causing me > > something of a headache. On eth0 is the router (connected to the net), on > > eth1 is a webserver on eth2 is a switch which is connected upto the lan. > > > > The ip address of the webserver is 172.16.0.1. > > > > On eth2 is a sql server with the ip address of 192.168.0.1. > > > > The current firewall has it setup so that when connecting to 172.16.0.2 > > redirects the traffic to 192.168.0.1 and so the webserver is able to > > access the sql server without ever knowing its real ip address. > > > > How can this be replicated using IPTables? All my attempts thus far have > > failed miserably to replicate this. > > Is address 172.16.0.2 that of the firewall, or is it an imaginary address? > > If it's imaginary, you need to apply that address to eth1 on the firewall, > then do: > > iptables -A PREROUTING -t nat -s 172.16.0.1 -d 172.16.0.2 -p tcp --dport > 3306 -j DNAT --to 192.168.0.1 > iptables -A FORWARD -s 172.16.0.1 -d 192.168.0.1 -p tcp --dport 3306 -j > ACCEPT > > Regards, > > Antony. -- This email is intended for the use of the individual addressee(s) named above and may contain information that is confidential, privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of humour, or irrational religious beliefs. If you have received this email in error, you are required to shred it immediately, add some nutmeg, three egg whites and a dessertspoonful of caster sugar. Whisk until soft peaks form, then place in a warm oven for 40 minutes. Remove promptly and let stand for 2 hours before adding some decorative kiwi fruit and cream. Then notify me immediately by return email and eat the original message. Please reply to the list; please don't CC me.
