Interesting. Are there any pre-packaged ways to do this? This sounds like perhaps the least complex solution, once it's actually implemented.
Pre-packaged solutions? Um, sure, it's called Linux. :P No, I don't know of any ""pre-packaged solutions. What there are is pre made building blocks that you can put together in to your own solution.
That could work. I'm really only worried about DNS, HTTP, HTTPS, SMTP, POP3, IMAP, and SSH. So I could redirect all those ports to different ports on on faketarget (DNAT), then back to the real ports on realtarget (using REDIRECT target?). Can you give me an example (or point me to a URL) of what rules I would need to run on realtarget to MARK the connections and then decide which routing table to use? Are we just talking about iptables commands, or is there something additional that is required?
This is the command that you would need to run on the fake target to do the up and over part: iptables -t nat -A PREROUTING -i $INet -d $FakeTargetIP -p tcp --dport 22 -j DNAT --to-destination $RealTargetIP:2222 This is the corresponding command that you would need to run on the real target to do the down and in part: iptables -t mangle -A PREROUTING -i $INet -d $RealTargetIP -p tcp --dport 2222 -j MARK --set-mark $Mark iptables -t nat -A PREROUTING -i $INet -d $RealTargetIP -p tcp --dport 2222 -j REDIRECT --to-ports 22 I'm not sure if you want the MARK target or the CONNMARK target as I have not worked with either of them. But I think you see what I'm trying to accomplish with them. As far as the rule, a little bit of reading should explain that (I'd have to do the reading my self at this hour). Grant. . . .
