You are correct to DNAT. You are incorrect to attempt to DNAT based upon source address. One DNATs the destination address. Of course, I may have misunderstood what you are trying to do. On Tue, 2005-09-27 at 08:20 -0700, Alaios wrote: > Why do u say i should not use dnat? U also sais that > my second example is correct.. havent u see that uses > also dnat.. I think i should use dnat because i want > to alter the ip packet so as to be forwarded to the > other network.. Isn't that correct? > > --- "John A. Sullivan III" > <jsullivan@xxxxxxxxxxxxxxxxxxx> wrote: > > > On Tue, 2005-09-27 at 07:57 -0700, Alaios wrote: > > > Hi plz take a look at the following example > > > > > > The laptop has 2 ethernet interfaces > > > To eth1 comes traffic from src 143.233.222.253 > > > The eth0 has ip address 10.2.4.2 and it is > > connected > > > back to back with eth1 of other pc with ip address > > > 10.2.4.1 > > > I want to forward the traffic with src > > 143.233.222.253 > > > to the 10.2.4.1 pc and if it works i will redo > > this > > > for a second pc so as to l send the traffic to a > > third > > > on. > > > Can u help me plz? > > > > > > I have tried this one > > > iptables -t nat -A PREROUTING -i eth1 -s > > > 143.233.222.253 -j DNAT --to-destination 10.2.4.1 > > > i have also set the > > > /proc/sys/net/ipv4/ip_forward to 1 > > > but still i cant see any trafiic to eth0 interface > > (ip > > > 10.2.4.2) > > > > > > > > > I have also tested this one > > > iptables -t nat -A PREROUTING -p tcp -d > > 143.233.222.77 > > > (laptop eth1 card) --dport 22453 (i have cheched > > dst > > > port with tcpdump) 00 -j DNAT --to-destination > > > 10.2.4.1 > > > this still doesnt work > > > Every time i try to apply a new rule i use first > > > the iptables -F > > > iptables -t nat -F command > > <snip> > > > > I'm a little confused about what you are doing. I > > would normally refer > > you to Oskar Andreasson's excellent tutorial at > > > http://iptables-tutorial.frozentux.net/iptables-tutorial.html > > or the > > training slides on the ISCS web site > > (http://iscs.sourceforge.net) but, > > since it appears that you have an emergency, here > > goes: > > > > First, if the source is 143.233.222.253, you would > > not want to DNAT it. > > DNAT changes the destination. Thus, your second > > attempt is the correct > > one. You might want to lock the destination port - > > it's not likely to > > be a problem but, if it ever is, it will be one of > > those really hard to > > diagnose, sporadic problems: > > -j DNAT --to-destination 10.2.4.1:22453 > > > > Second, this only takes care of the addressing. You > > must still allow > > the traffic in the FORWARD chain of the filter > > table, e.g., > > > > iptables -A FORWARD -d 10.2.4.1 -p 6 --dport 22453 > > -j ACCEPT > > > > Hope this helps - John > > -- > > John A. Sullivan III > > Open Source Development Corporation > > +1 207-985-7880 > > jsullivan@xxxxxxxxxxxxxxxxxxx > > > > If you would like to participate in the development > > of an open source > > enterprise class network security management system, > > please visit > > http://iscs.sourceforge.net > > > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx Financially sustainable open source development http://www.opensourcedevel.com
