В Вто, 07/07/2009 в 22:48 +0200, David Balažic пишет: > Hi! > > I have a bit specific, but not that unusual problem. > > I have linux 2.4 (OpenWRT 1.0) running on a home router. > ppp0 has the connection to outside world and br0 is the local network > and is "NAT-ed". > > I also have a vlan0 interface with IP address 192.168.1.1. On that > network there is a host that has a HTTP server on port 80 and accepts > connections only from 192.168.1.x. > > What I want is to set up a rule that allows outside hosts (the entire > internet, ok maybe limited to a single IP) access to that port and of > course masquerades it to appear as if coming from 192.168.1.x. > > There I'm lost. I have good unix experience, but managed to avoid > packet filters until now ;-) iptables -t nat -A PREROUTING -i ppp0 -p tcp -d <ppp0_IP> --dport 80 -j DNAT --to-destination 192.168.1.1 iptables -t nat -A POSTROUTING -o br0 -p tcp -d 192.168.1.1 --dport 80 -j SNAT --to-source <br0_IP> I managed to avoid VLAN setups, so the above will work for the case without vlan when HTTP server is connected to br0. -- Покотиленко Костик <casper@xxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html