Re: Forward internal packets as though they're external

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Try "/sbin/iptables -A INPUT -d 65.9.134.4 -s 192.168.0.0/24 -p tcp
--dport 6969 -j DNAT 192.168.0.100:6969"
It maybe work, I don't ensure

2005/10/27, Jon Heese <netfilter@xxxxxxxxxxxx>:
> List,
>
> I have a seemingly simple situation here that I have yet to find a
> straightforward answer to, so here goes.  I have my router/firewall
> running iptables:
>
> eth0 - 65.9.134.4
> eth1 - 192.168.0.1
>
> Then, say an internal machine, "castor":
>
> eth0 - 192.168.0.100
>
> I'm running a BitTorrent tracker on castor's TCP port 6969, and I'm
> using iptables to forward traffic coming in router's eth0's port 6969 to
> castor's 6969 (nat table, PREROUTING chain).  No problem coming in from
> outside.
>
> The problem arises when I want to connect to castor's BitTorrent tracker
> from another machine behind the router (on the 192.168.0.0/24 subnet).
> It's matching the INPUT rule and sending the packet directly to router's
> port 6969, instead of following the FORWARD rule to castor's 6969, and
> while this makes sense to me, I don't want it to do it.
>
> So, the simple solution, I say to myself, is to tell iptables to take
> all packets with destination address of 65.9.134.4 and source address of
> 192.168.0.0/24 and dport 6969 to go to castor's 6969.  In English I
> think I have it fine.  Finding the right syntax/logic in iptablesish is
> where I get tripped up.  I can match the rule fine, I just don't know
> what action/jump I need to specify to make it redirect.
>
> The rule is:
>
> /sbin/iptables -A INPUT -d 65.9.134.4 -s 192.168.0.0/24 -p tcp --dport 6969
>
> And if I add "-j DROP" or "-j ACCEPT", I get the appropriate action in
> my testing situation.  Now, the question:
>
> What do I have to specify after the above rule definition to either a)
> get iptables to redirect this packet to my existing nat/PREROUTING chain
> (which may not be possible), or b) forward it directly to a specified
> IP:port?
>
> If you need any more specifics or code or if I posted this to the wrong
> list, just let me know.  Thanks in advance.
>
> Regards,
> Jon Heese
>
>
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux