Hello,
marko a écrit :
is it possible to change the --dport on a packet that is forwarded through?
You cannot do NAT in the FORWARD chain. However you can do it in the
PREROUTING chain.
for example, two pc's and internet in between. both pc's have linux as
gateways. both gateways do NAT. now, i'd like to access port 8080 on
machine A from machine B. for example telnet X.X.X.X 8080. normally i'd
have to do a DNAT on machine A's gateway for that port, right? but i
would like the port to change during internet. like i type telnet to
port 8080, but linux redirects it to port 18080 on machine B's network
and on machine A's gateway i'd have to a DNAT from 18080 to 8080. so i'd
telnet to 8080 seemingly, the linux B redirects it to 18080 and it
travels over the net to linux A to port 18080 and the it is DNAT'ed to
8080 to machine B.
No problem, DNAT in the PREROUTING chain can handle that.
but the redirection doesn't work. as i understood if
i redirect on nat table's prerouting chain the packet the travels to
INPUT chain instead on FORWARD chain.
REDIRECT is intended to redirect connections to the local host, this is
not what you want to do. You need the DNAT target instead. DNAT can do
destination address and/or port translation. For instance, on B's gateway :
iptables -t nat -A PREROUTING -d $original_dst_ip -p tcp --dport 8080 \
-j DNAT -to $apparent_dst_ip:18080
If you don't want to change the destination address, just remove
"$apparent_dst_ip"). If you want to catch any connection on port 8080,
just remove "-d $original_dst_ip".
And on A's gateway :
iptables -t nat -A PREROUTING -d $apparent_dst_ip -p tcp --dport 18080 \
-j DNAT --to $final_dst_ip:8080
