From: Antony Stone <Antony@Soft-Solutions.co.uk>
To: netfilter@lists.netfilter.org
Subject: Re: Packet forwarding.
Date: Wed, 7 Apr 2004 18:37:29 +0100 [thread overview]
Message-ID: <200404071837.29160.Antony@Soft-Solutions.co.uk> (raw)
In-Reply-To: <1081358721.40743981919b2@mail.tscnet.net>
On Wednesday 07 April 2004 6:25 pm, bdameron@tscnet.net wrote:
> > If you tell us what your rules are and give us some more detail about
> > your network setup, we might be able to help, however a better solution
> > for you is to look at some of the excellent documentation available to
> > learn how to do it yourself. This is not a hard problem, and you will be
> > able to manage your system much better in future if you understand more
> > about how it works.
> >
> > One very important detail which is not clear from your description above
> > is: where is the "client machine" located?
>
> Client machine being anyone from the outside world. And I have looked
> over some of the documentation. Basically there is no current firewall
> policies. Just want anything coming in on xxx.xxx.xxx.xxx:443 (Internet
> Machine) to be routed to 10.10.1.110:443 (Internal Lan Machine).
>
> Looks like I need to mangle the packet header so that the Lan machine thinks
> that the Internet machine is sending the packet and then have the Internet
> machine redirect the packet to the client. Client again being someone on the
> Internet. Not sure if this can be done or not. Correct me if I am wrong.
With all due respect, yes, you are very wrong. This is a simple "nat +
forward" situation.
Since you haven't said what your ruleset is, I shall assume none, and give you
an example of how to make work what you have asked for:
iptables -F
iptables -F -t nat
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 443 -d 10.10.1.110 -j ACCEPT
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 10.10.1.110
If eth0 is not your external interface then change it in the above two rules
for whatever your external interface is.
Regards,
Antony.
--
Abandon hope, all ye who enter here.
You'll feel much better about things once you do.
Please reply to the list;
please don't CC me.
next prev parent reply other threads:[~2004-04-07 17:37 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-07 17:00 Packet forwarding bdameron
2004-04-07 17:14 ` Antony Stone
2004-04-07 17:25 ` bdameron
2004-04-07 17:37 ` Antony Stone [this message]
2004-04-07 20:04 ` bdameron
2004-04-07 20:30 ` Antony Stone
2004-04-07 17:28 ` Alexis
-- strict thread matches above, loose matches on Subject: below --
2003-06-25 15:27 packet forwarding Drake Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200404071837.29160.Antony@Soft-Solutions.co.uk \
--to=antony@soft-solutions.co.uk \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.