From: "Ryan Beisner" <ryanb@thedataarc.com>
To: netfilter@lists.netfilter.org
Subject: re: WAP11 through router
Date: Wed, 18 Sep 2002 16:31:45 -0500 [thread overview]
Message-ID: <0d3901c25f5a$c9de9c60$64dc0a0a@dataarc> (raw)
[-- Attachment #1: Type: text/plain, Size: 2080 bytes --]
How about this:
Ext IF eth1 IP 10.20.0.3 (insignificant unnecessary info for this config)
Ext IF eth1:1 Virtual IP 10.20.0.4
Int IF eth0 IP 192.168.168.1
I want a one-to-one bidirectional NAT map from 10.20.0.4 to 192.168.168.178 for all ports. I will explicitly allow and deny protocols later. Again, this is already behind a firewall in my corporation. The goal is to make 10.20.0.4 a full "representative" of my WAP11. Security is taken care of elsewhere with the firebox. = )
Using IPTRAF, I can see the request coming through, but the answer doesn't make it out. I'm just not figuring that out. Thanks again, I really appreciate any help you can provide.
-Ryan Beisner
On Wednesday 18 September 2002 9:44 pm, Ryan Beisner wrote:
> Hi All!
>
> I have a Linksys WAP11 behind a high speed connection.
>
> Here's the scenario:
>
> INT (eth0) IP Range ( 192.168.168.1 class C )
> EXT (eth1) IP Range also private ( 10.20.0.3 class B )
> EXT (eth1:1) Virtual IP is 10.20.0.4
>
> I want to map everything from Virt IP (Eth1:1) 10.20.0.4 (all ports) to
> internal 192.168.168.178 (the Linksys WAP 11). FYI this is for remote
> management of my access point.
>
> Here was my first attempt, which did not work. I explicitly allow all
> traffic in/out/fwd for 10.20.0.4 to make sure I wasn't kicking myself here.
> Still no go. Suggestions?
>
> ""iptables -A PREROUTING -t nat -d 10.20.0.4 -j DNAT --to
> 192.168.168.178""
The PREROUTING rule looks good.
However, remember that by the time packets reach the FORWARD chain, the
PREROUTING rule has already NATted them, so you need to allow packets for
192.168.168.178 through netfilter, not packets for 10.20.0.4.....
Also, you say you want to do this for "remote management of the access
point", so why do you want to map *all* ports ? Surely there's only a very
few ways of managing the AP: telnet, snmp, http - any others ?
Antony.
--
If at first you don't succeed, destroy all the evidence that you tried.
[-- Attachment #2: Type: text/html, Size: 3523 bytes --]
reply other threads:[~2002-09-18 21:31 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='0d3901c25f5a$c9de9c60$64dc0a0a@dataarc' \
--to=ryanb@thedataarc.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.