For the record, this worked: # I used port 8085 on outside, as 80 is already used for the routers GUI # vlan1 is just a network interface, just like br0, eth1, wlan1, ppp0 ;-) iptables -A FORWARD -i ppp0 -o vlan1 -j ACCEPT # 1.2.3.4 is the remote IP I only allow access iptables -t nat -A prerouting_rule -i ppp0 -p tcp -s 1.2.3.4 --dport 8085 -j DNAT --to 192.168.1.254:80 iptables -t nat -A POSTROUTING -o vlan1 -p tcp -d 192.168.1.254 --dport 80 -j SNAT --to-source 192.168.1.1 # I guess prerouting_rule is OpenWRT specific, is "linked" from the PREROUTING rule/table/chain/whatever-it-is-called-properly Regards, David 2009/7/8 Покотиленко Костик <casper@xxxxxxxxxxxx>: > В Вто, 07/07/2009 в 22:48 +0200, David Balažic пишет: >> Hi! >> >> I have a bit specific, but not that unusual problem. >> >> I have linux 2.4 (OpenWRT 1.0) running on a home router. >> ppp0 has the connection to outside world and br0 is the local network >> and is "NAT-ed". >> >> I also have a vlan0 interface with IP address 192.168.1.1. On that >> network there is a host that has a HTTP server on port 80 and accepts >> connections only from 192.168.1.x. >> >> What I want is to set up a rule that allows outside hosts (the entire >> internet, ok maybe limited to a single IP) access to that port and of >> course masquerades it to appear as if coming from 192.168.1.x. >> >> There I'm lost. I have good unix experience, but managed to avoid >> packet filters until now ;-) > > iptables -t nat -A PREROUTING -i ppp0 -p tcp -d <ppp0_IP> --dport 80 -j > DNAT --to-destination 192.168.1.1 > iptables -t nat -A POSTROUTING -o br0 -p tcp -d 192.168.1.1 --dport 80 > -j SNAT --to-source <br0_IP> > > I managed to avoid VLAN setups, so the above will work for the case > without vlan when HTTP server is connected to br0. > > -- > Покотиленко Костик <casper@xxxxxxxxxxxx> > > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
