Re: Redirecting from one ip to another problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Friday 25 June 2004 11:02 am, Mark C. Casey wrote:

> Thanks, for dport would I have to do a couple of rules for the different
> ports?
>
> For example:
>
> iptables -A PREROUTING -t nat -s 172.16.0.1 -d 172.16.0.2 -p tcp --dport
> 1433 -j DNAT --to 192.168.0.1
> iptables -A FORWARD -s 172.16.0.1 -d 192.168.0.1 -p tcp --dport 1433 -j
> ACCEPT
>
> and
>
> iptables -A PREROUTING -t nat -s 172.16.0.1 -d 172.16.0.2 -p tcp --dport
> 5000:5025 -j DNAT --to 192.168.0.1
> iptables -A FORWARD -s 172.16.0.1 -d 192.168.0.1 -p tcp --dport 5000:5025 -j
> ACCEPT

Yes.

> Or would it be possible to do multiple ports in the two rules?

There is a multi-port match patch available in patch-o-matic, however for the 
limited number of ports you seem to want I suspect it's not worth going to 
that bother.

On Friday 25 June 2004 11:16 am, Mark C. Casey wrote:

> Oh, another question.
>
> Is it possible to point an external ip address that we have to an internal
> machine so when said machine tries accessing the external ip address it
> simply accesses itself?

No, replies won't work.

> For example, say externally (on the internet) I have an ip address of
> 62.39.23.52. If 172.16.0.1 tries accessing 62.39.23.52 it simply points to
> 172.16.0.1 instead? (so, say I tried pinging or ftp'ing to 62.39.23.52 it
> would be accessing 172.16.0.1 from 172.16.0.1)

Think about it:

172.16.0.1 sends a packet to 62.39.23.52
Firewall NATs this address to 172.16.0.1
172.16.0.1 receives a packet with its own source address, and replies.
172.16.0.1 gets a reply packet from 172.16.0.1 (or, possibly, 127.0.0.1) when 
it expected the reply to come back from 62.39.23.52
Machine unhappy - doesn't work.

Regards,

Antony.

-- 
If you want to be happy for an hour, get drunk.
If you want to be happy for a year, get married.
If you want to be happy for a lifetime, get a garden.

                                                     Please reply to the list;
                                                           please don't CC me.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux