From: "John A. Sullivan III" <jsullivan@opensourcedevelopmentcorp.com>
To: Richard <richard@o-matrix.org>
Cc: Netfilter users list <netfilter@lists.netfilter.org>
Subject: Re: port translation
Date: Wed, 05 Jan 2005 08:23:43 -0500 [thread overview]
Message-ID: <1104931423.3684.5.camel@localhost> (raw)
In-Reply-To: <EINSTEINdGuysj7L2Sg00000bb4@einstein.systemmetrics.com>
On Tue, 2005-01-04 at 22:23 -1000, Richard wrote:
> Hi,
>
> I am trying to work on port translation. One inside host with source port
> xxx would always have the same port yyy after nat. Even after the conntrack
> expires, I still want outside incoming packet to port yyy be able to map to
> the same host and port. This is what I did,
>
> Assume inside 192.168.25.150:5000 maps to outside 66.1.2.3:60150 on
> interface vlan1,
>
> # allow outside traffic to come in
> iptables -t nat -I PREROUTING -p udp -i vlan1 -d 66.1.2.3 --dport 60150 -j
> DNAT --to-destination 192.168.25.150:5000
>
> # allow outside traffic to go through the router
> iptables -t filter -I FORWARD -p udp -i vlan1 --dport 5060 -j ACCEPT
>
> # allow inside traffic to go out
> iptables -t nat -I POSTROUTING -p udp -s 192.168.25.150 --sport 5000 -j SNAT
> -o vlan1 --to-source 66.1.2.3:60150
>
> Can someone please confirm that this is the right way to do it?
>
> Also if I have multiple internal hosts, for example, one hundred host
> 192.168.25.1xy:5000 maps to 66.1.2.3:601xy, is there a quick way to do it
> instead of 100 blocks of iptables statements?
<snip>
I haven't confirmed it by trying it but it looks like it would work. I
assume you have a rule somewhere which will allow internal stations to
initiate traffic outbound on port 5000. This would typically be in your
FORWARD chain just like you have the rule to allow external stations to
initiate traffic. I also assume that you really want the entire world
to be able to reach the internal device on that port.
I don't know of a way to condense the number of rules you need to do
this direct port mapping in the nat table. You could use the iprange
patch or subnet addressing to reduce the number of rules in the FORWARD
chain.
I suppose it would be a simple matter to develop a quick bash script to
create an iptables-restore file and load the rules that way rather than
manually entering each.
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com
If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net
next prev parent reply other threads:[~2005-01-05 13:23 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-05 8:23 port translation Richard
2005-01-05 13:23 ` John A. Sullivan III [this message]
2005-01-06 13:34 ` Eric Ellis
-- strict thread matches above, loose matches on Subject: below --
2004-01-11 10:21 Romain Moyne
2004-01-11 11:37 ` Antony Stone
2004-01-11 12:43 ` Cedric Blancher
2004-01-11 12:53 ` Romain Moyne
2004-01-11 13:03 ` Antony Stone
2004-01-11 13:32 ` Cedric Blancher
2004-01-11 13:45 ` Romain Moyne
2004-01-11 13:55 ` Antony Stone
2004-01-11 14:03 ` Romain Moyne
2004-01-16 22:32 ` Bill Davidsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1104931423.3684.5.camel@localhost \
--to=jsullivan@opensourcedevelopmentcorp.com \
--cc=netfilter@lists.netfilter.org \
--cc=richard@o-matrix.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.