On Wed, 26 Jul 2006, Sietse van Zanen wrote:
There are no lame questions, only lame answers like: NAT = NAT = NAT =
NAT :-)
Sure you can do this, just add a DNAT rule in the PREROUTING chain of
the NAT table, translating x.x.x.x to y.y.y.y.
And be sure to allow 'any' to access port 80/443 on y.y.y.y in the
FORWARD chain of the filter table.
But you may need to think about the packet's way back.
If the external servers are not behind the dsl line, but traffic to them
needs to go out over this line again:
user -->---- dslbox --- internal network
|
server <-
The answer packets from $server may not directly go to $user, but need to
reach $dslbox first and get de-nat'ed. To do this just masquerade/SNAT
them in $dslbox - but the downside is that $server only sees connections
from $dslbox, not the real source ips.
-Sietse
________________________________
From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx on behalf of Simon
Sent: Wed 26-Jul-06 11:29
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: A netfilter 'if possible' question
Hi There,
I understand NAT to the level that i currently use it, to send certain
ports from our DSL link to various different servers within our
internal network. Is it possible to do this to an outside IP address.
eg. zzz.zzz.zzz.zzz sends http requests to port 80 and 443 on
xxx.xxx.xxx.xxx, then have netfilter NAT those requests thru to port
80/443 on yyy.yyy.yyy.yyy, both x and y being different real world IP
addresses and on different subnets? (physically seperate servers).
Thanks and sorry if its a lame question...
Simon
c'ya
sven
--
The Internet treats censorship as a routing problem, and routes around it.
(John Gilmore on http://www.cygnus.com/~gnu/)
