On Fri, Dec 12, 2014 at 7:50 PM, Neal Murphy <neal.p.murphy@xxxxxxxxxxxx> wrote: > On Friday, December 12, 2014 06:55:21 PM John Miller wrote: >> Hi folks, >> >> We're running a server that scan local systems for installed SSL >> certificates. Problem is, the tool truly means local -- RFC1918 private >> ranges only, please. Being a university, we have quite a few things >> located in public IP space that aren't necessarily world-accessible >> (development servers and the like). >> >> My solution thus far has been to use DNAT to trick our scanning program >> into thinking it's using local addresses. >> >> iptables -t nat -A OUTPUT -d 172.16.x.y -j DNAT \ >> --to-destination 129.64.x.y > > This might point you in the right direction: > > iptables -t nat -A PREROUTING -s 172.16.0.0/16 \ > -j DNAT --to-destination 129.64.0.0-129.64.255.255 Thanks for your response, Neal. These are for TCP streams that I'm initiating, so I'm pretty sure the OUTPUT chain is what I want here. As for the range in --to-destination, it's as you say: mappings aren't predictable. Was hoping someone on the list knew the innards of the DNAT target and whether there were other options besides --to-destination. Alternatively, was wondering if the mangle table might be able to do what I'm looking for. Definitely open to suggestions! John -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
