* RE: natting specific ports [not found] <CAFAAEC91CC8D511952000062938C6F12ECDC4@ozlan.fcdomain.net> @ 2002-12-13 19:34 ` Ranjeet Shetye 0 siblings, 0 replies; 4+ messages in thread From: Ranjeet Shetye @ 2002-12-13 19:34 UTC (permalink / raw) To: netfilter Yes, You need to DNAT the destination ports and therefore you need to look for them using the --dport flag extension of the -p tcp/udp flag. i.e. for telnet you'll have "-p tcp --dport 23". Ranjeet Shetye Senior Software Engineer Zultys Technologies 771 Vaqueros Avenue Sunnyvale CA 94085 USA Ranjeet.Shetye@Zultys.com http://www.zultys.com/ > -----Original Message----- > From: Simpson, Doug [mailto:DSimpson@friedmancorp.com] > Sent: Friday, December 13, 2002 11:19 AM > To: 'Ranjeet Shetye' > Subject: RE: natting specific ports > > > I want this for traffic going out. So that my internal > clients can send mail and telnet to servers out on the Public > Net. I need to use -dport instead of -sport? Thanks, Doug > > -----Original Message----- > From: Ranjeet Shetye [mailto:ranjeet.shetye@zultys.com] > Sent: Friday, December 13, 2002 11:58 AM > To: netfilter@lists.netfilter.org > Subject: RE: natting specific ports > > > > Hi Doug, > > Do you want to NAT for traffic coming in or for traffic going out ? > > If you want your internal network to be able to reach > external telnet and smtp servers, then your destination port > will be 23 or 25, not your source port. > > If you want to host telnet and smtp servers behind a firewall > and allow only NATted access to these servers, then you > should be using DNAT, not SNAT. > > Hope this helps, > > Ranjeet Shetye > Senior Software Engineer > Zultys Technologies > 771 Vaqueros Avenue > Sunnyvale CA 94085 > USA > Ranjeet.Shetye@Zultys.com > http://www.zultys.com/ > > > > > > -----Original Message----- > > From: netfilter-admin@lists.netfilter.org > > [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of > > Simpson, Doug > > Sent: Friday, December 13, 2002 9:49 AM > > To: 'netfilter@lists.netfilter.org' > > Subject: natting specific ports > > > > > > I want to "NAT" just specific ports to my Public IP. Do the > > commands below make sense? I want my internal network to be > > able to telnet and send email. (eth0 is my External NIC - it > > is exposed to the internet) > > iptables -t nat -A POSTROUTING -p tcp --sport 25 -o eth0 -s > > $INTERNAL_IP -j SNAT --to $EXTERNAL_IP iptables -t nat -A > > POSTROUTING -p tcp --sport 23 -o eth0 -s $INTERNAL_IP -j SNAT > > --to $EXTERNAL_IP > > > > Thank you, > > Doug > > > > ^ permalink raw reply [flat|nested] 4+ messages in thread
[parent not found: <CAFAAEC91CC8D511952000062938C6F12ECDC6@ozlan.fcdomain.net>]
* RE: natting specific ports [not found] <CAFAAEC91CC8D511952000062938C6F12ECDC6@ozlan.fcdomain.net> @ 2002-12-13 20:14 ` Ranjeet Shetye 0 siblings, 0 replies; 4+ messages in thread From: Ranjeet Shetye @ 2002-12-13 20:14 UTC (permalink / raw) To: netfilter Aargh! My apologies. You are right, you need to SNAT the packet, not DNAT. And therefore you will have to use POSTROUTING. Also, you still need to use "-p tcp --dport 23" for Telnet or "-p tcp --dport 25" for mail servers (that are using SMTP). Sorry about the confusion there. :D Ranjeet Shetye Senior Software Engineer Zultys Technologies 771 Vaqueros Avenue Sunnyvale CA 94085 USA Ranjeet.Shetye@Zultys.com http://www.zultys.com/ > -----Original Message----- > From: Simpson, Doug [mailto:DSimpson@friedmancorp.com] > Sent: Friday, December 13, 2002 11:50 AM > To: 'Ranjeet Shetye' > Subject: RE: natting specific ports > > > Do I still use POSTROUTING or PRE . . . > > -----Original Message----- > From: Ranjeet Shetye [mailto:ranjeet.shetye@zultys.com] > Sent: Friday, December 13, 2002 1:34 PM > To: netfilter@lists.netfilter.org > Subject: RE: natting specific ports > > > > Yes, > > You need to DNAT the destination ports and therefore you need > to look for them using the --dport flag extension of the -p > tcp/udp flag. > > i.e. for telnet you'll have "-p tcp --dport 23". > > Ranjeet Shetye > Senior Software Engineer > Zultys Technologies > 771 Vaqueros Avenue > Sunnyvale CA 94085 > USA > Ranjeet.Shetye@Zultys.com > http://www.zultys.com/ > > > > > > -----Original Message----- > > From: Simpson, Doug [mailto:DSimpson@friedmancorp.com] > > Sent: Friday, December 13, 2002 11:19 AM > > To: 'Ranjeet Shetye' > > Subject: RE: natting specific ports > > > > > > I want this for traffic going out. So that my internal > > clients can send mail and telnet to servers out on the Public > > Net. I need to use -dport instead of -sport? Thanks, Doug > > > > -----Original Message----- > > From: Ranjeet Shetye [mailto:ranjeet.shetye@zultys.com] > > Sent: Friday, December 13, 2002 11:58 AM > > To: netfilter@lists.netfilter.org > > Subject: RE: natting specific ports > > > > > > > > Hi Doug, > > > > Do you want to NAT for traffic coming in or for traffic going out ? > > > > If you want your internal network to be able to reach > > external telnet and smtp servers, then your destination port > > will be 23 or 25, not your source port. > > > > If you want to host telnet and smtp servers behind a firewall > > and allow only NATted access to these servers, then you > > should be using DNAT, not SNAT. > > > > Hope this helps, > > > > Ranjeet Shetye > > Senior Software Engineer > > Zultys Technologies > > 771 Vaqueros Avenue > > Sunnyvale CA 94085 > > USA > > Ranjeet.Shetye@Zultys.com > > http://www.zultys.com/ > > > > > > > > > > > -----Original Message----- > > > From: netfilter-admin@lists.netfilter.org > > > [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of > > > Simpson, Doug > > > Sent: Friday, December 13, 2002 9:49 AM > > > To: 'netfilter@lists.netfilter.org' > > > Subject: natting specific ports > > > > > > > > > I want to "NAT" just specific ports to my Public IP. Do the > > > commands below make sense? I want my internal network to > be able to > > > telnet and send email. (eth0 is my External NIC - it is > exposed to > > > the internet) iptables -t nat -A POSTROUTING -p tcp --sport 25 -o > > > eth0 -s $INTERNAL_IP -j SNAT --to $EXTERNAL_IP iptables -t nat -A > > > POSTROUTING -p tcp --sport 23 -o eth0 -s $INTERNAL_IP -j SNAT > > > --to $EXTERNAL_IP > > > > > > Thank you, > > > Doug > > > > > > > > > > ^ permalink raw reply [flat|nested] 4+ messages in thread
* natting specific ports @ 2002-12-13 17:48 Simpson, Doug 2002-12-13 17:57 ` Ranjeet Shetye 0 siblings, 1 reply; 4+ messages in thread From: Simpson, Doug @ 2002-12-13 17:48 UTC (permalink / raw) To: 'netfilter@lists.netfilter.org' I want to "NAT" just specific ports to my Public IP. Do the commands below make sense? I want my internal network to be able to telnet and send email. (eth0 is my External NIC - it is exposed to the internet) iptables -t nat -A POSTROUTING -p tcp --sport 25 -o eth0 -s $INTERNAL_IP -j SNAT --to $EXTERNAL_IP iptables -t nat -A POSTROUTING -p tcp --sport 23 -o eth0 -s $INTERNAL_IP -j SNAT --to $EXTERNAL_IP Thank you, Doug ^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: natting specific ports 2002-12-13 17:48 Simpson, Doug @ 2002-12-13 17:57 ` Ranjeet Shetye 0 siblings, 0 replies; 4+ messages in thread From: Ranjeet Shetye @ 2002-12-13 17:57 UTC (permalink / raw) To: netfilter Hi Doug, Do you want to NAT for traffic coming in or for traffic going out ? If you want your internal network to be able to reach external telnet and smtp servers, then your destination port will be 23 or 25, not your source port. If you want to host telnet and smtp servers behind a firewall and allow only NATted access to these servers, then you should be using DNAT, not SNAT. Hope this helps, Ranjeet Shetye Senior Software Engineer Zultys Technologies 771 Vaqueros Avenue Sunnyvale CA 94085 USA Ranjeet.Shetye@Zultys.com http://www.zultys.com/ > -----Original Message----- > From: netfilter-admin@lists.netfilter.org > [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of > Simpson, Doug > Sent: Friday, December 13, 2002 9:49 AM > To: 'netfilter@lists.netfilter.org' > Subject: natting specific ports > > > I want to "NAT" just specific ports to my Public IP. Do the > commands below make sense? I want my internal network to be > able to telnet and send email. (eth0 is my External NIC - it > is exposed to the internet) > iptables -t nat -A POSTROUTING -p tcp --sport 25 -o eth0 -s > $INTERNAL_IP -j SNAT --to $EXTERNAL_IP iptables -t nat -A > POSTROUTING -p tcp --sport 23 -o eth0 -s $INTERNAL_IP -j SNAT > --to $EXTERNAL_IP > > Thank you, > Doug > ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2002-12-13 20:14 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CAFAAEC91CC8D511952000062938C6F12ECDC4@ozlan.fcdomain.net>
2002-12-13 19:34 ` natting specific ports Ranjeet Shetye
[not found] <CAFAAEC91CC8D511952000062938C6F12ECDC6@ozlan.fcdomain.net>
2002-12-13 20:14 ` Ranjeet Shetye
2002-12-13 17:48 Simpson, Doug
2002-12-13 17:57 ` Ranjeet Shetye
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.