On Tue, 2005-01-04 at 22:23 -1000, Richard wrote: > Hi, > > I am trying to work on port translation. One inside host with source port > xxx would always have the same port yyy after nat. Even after the conntrack > expires, I still want outside incoming packet to port yyy be able to map to > the same host and port. This is what I did, > > Assume inside 192.168.25.150:5000 maps to outside 66.1.2.3:60150 on > interface vlan1, > > # allow outside traffic to come in > iptables -t nat -I PREROUTING -p udp -i vlan1 -d 66.1.2.3 --dport 60150 -j > DNAT --to-destination 192.168.25.150:5000 > > # allow outside traffic to go through the router > iptables -t filter -I FORWARD -p udp -i vlan1 --dport 5060 -j ACCEPT > > # allow inside traffic to go out > iptables -t nat -I POSTROUTING -p udp -s 192.168.25.150 --sport 5000 -j SNAT > -o vlan1 --to-source 66.1.2.3:60150 > > Can someone please confirm that this is the right way to do it? > > Also if I have multiple internal hosts, for example, one hundred host > 192.168.25.1xy:5000 maps to 66.1.2.3:601xy, is there a quick way to do it > instead of 100 blocks of iptables statements? <snip> I haven't confirmed it by trying it but it looks like it would work. I assume you have a rule somewhere which will allow internal stations to initiate traffic outbound on port 5000. This would typically be in your FORWARD chain just like you have the rule to allow external stations to initiate traffic. I also assume that you really want the entire world to be able to reach the internal device on that port. I don't know of a way to condense the number of rules you need to do this direct port mapping in the nat table. You could use the iprange patch or subnet addressing to reduce the number of rules in the FORWARD chain. I suppose it would be a simple matter to develop a quick bash script to create an iptables-restore file and load the rules that way rather than manually entering each. -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx If you would like to participate in the development of an open source enterprise class network security management system, please visit http://iscs.sourceforge.net
