Or instead just use DNAT with specific ports that will allow any other
traffic from this host to others based on basic NAT what called
"port-forwarding"
Regards,
Eliezer
On 11/14/2012 1:23 PM, Jan Engelhardt wrote:
# <-> both ways
First, you only used one MASQUERADE rule, which says to establish a
mapping 192.168.1.38:P <-> 114.XX.234.123:Q, if and only if,
192.168.0.0/16 is the src address on the initiating packet. This is
not the case for that <122.XX.115.203:10020->114.XX.234.123:44608>
packet of yours.
In weird Wikipedia terms, nf_nat implements "Cone NAT" exclusively.
There are two ways here.
1.
`modprobe nf_nat_sip` and see if that yields the desired result.
If not,
2.
To get the "1:1 NAT", you will need to add a "second" cone in the
other direction, so to speak. This is then something like
iptables -t nat -A PREROUTING -i internet [-d 114.XX.234.123] \
-j DNAT --to 192.168.1.38
As you no doubt will notice, this makes the router as a host
inaccessible on 114.XX.234.123, but that's what 1:1 means.
HTH.
--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
