* DNAT to another Network?
@ 2004-07-07 11:51 Svavar Örn Eysteinsson
2004-07-07 12:07 ` Gavin Hamill
2004-07-07 12:10 ` Alexander Samad
0 siblings, 2 replies; 5+ messages in thread
From: Svavar Örn Eysteinsson @ 2004-07-07 11:51 UTC (permalink / raw)
To: netfilter
Hi everybody.
I have one question about DNAT.
I have a computer foo.com on an ipaddress xxx.xxx.xxx.xxx
Is there any way for me to DNAT all traffic with destination to foo.com
to another server out-of-town, e.g. computer foobar.com with zzz.zzz.zzz.zzz
that
is not on my public network.?
Diagram : (showing where the traffic should go)
Traffic with destination to Computer A
INTERNET(ISP nr1) -------INTERNET(ISP nr2)
| | |
| | |
Network A | Network B
| | |
| | |
Firewall | Computer B (final destination)
| |-----|
->Computer A
Best regards,
Svavar O
Reykjvik - Iceland
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: DNAT to another Network?
2004-07-07 11:51 DNAT to another Network? Svavar Örn Eysteinsson
@ 2004-07-07 12:07 ` Gavin Hamill
2004-07-07 12:22 ` Svavar Örn Eysteinsson
2004-07-07 12:10 ` Alexander Samad
1 sibling, 1 reply; 5+ messages in thread
From: Gavin Hamill @ 2004-07-07 12:07 UTC (permalink / raw)
To: netfilter
On Wednesday 07 July 2004 12:51, Svavar Örn Eysteinsson wrote:
> Hi everybody.
>
> I have one question about DNAT.
>
> I have a computer foo.com on an ipaddress xxx.xxx.xxx.xxx
>
> Is there any way for me to DNAT all traffic with destination to foo.com
> to another server out-of-town, e.g. computer foobar.com with
> zzz.zzz.zzz.zzz that
> is not on my public network.?
Yes, basically using Computer A to be an IP-level proxy. Note that the source
address as seen by Computer B will always be that of Computer A. If this is
not a problem, you can use:
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -d xxx.xxx.xxx.xxx -j DNAT
--to zzz.zzz.zzz.zzz
$IPTABLES -A FORWARD -p tcp --dport 80 -d xxx.xxx.xxx.xxx j ACCEPT
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 80 -d zzz.zzz.zzz.zzz -j SNAT
--to xxx.xxx.xxx.xxx
Drop the '--dport 80' bits if you want all traffic, not just HTTP to be
proxied.
Cheers,
Gavin.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: DNAT to another Network?
2004-07-07 11:51 DNAT to another Network? Svavar Örn Eysteinsson
2004-07-07 12:07 ` Gavin Hamill
@ 2004-07-07 12:10 ` Alexander Samad
1 sibling, 0 replies; 5+ messages in thread
From: Alexander Samad @ 2004-07-07 12:10 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 1234 bytes --]
On Wed, Jul 07, 2004 at 11:51:02AM -0000, Svavar ?rn Eysteinsson wrote:
> Hi everybody.
>
> I have one question about DNAT.
>
> I have a computer foo.com on an ipaddress xxx.xxx.xxx.xxx
>
> Is there any way for me to DNAT all traffic with destination to foo.com
> to another server out-of-town, e.g. computer foobar.com with zzz.zzz.zzz.zzz
> that
> is not on my public network.?
>
>
>
> Diagram : (showing where the traffic should go)
>
>
> Traffic with destination to Computer A
>
> INTERNET(ISP nr1) -------INTERNET(ISP nr2)
> | | |
> | | |
> Network A | Network B
> | | |
> | | |
> Firewall | Computer B (final destination)
> | |-----|
> ->Computer A
>
you can do iptables -t nat -I POSTROUTING -j -d foo.com DNAT --to-destination
xxx.xxx.xxx.xxx
the only problem is if the machine xxx.xxx.xxx.xxx can talk to the
originator with talking to the machine nat'ing, then you need an SNAT
rule as well.
> Best regards,
>
> Svavar O
> Reykjvik - Iceland
>
>
>
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: DNAT to another Network?
2004-07-07 12:07 ` Gavin Hamill
@ 2004-07-07 12:22 ` Svavar Örn Eysteinsson
2004-07-07 13:40 ` Gavin Hamill
0 siblings, 1 reply; 5+ messages in thread
From: Svavar Örn Eysteinsson @ 2004-07-07 12:22 UTC (permalink / raw)
To: 'Gavin Hamill', netfilter
[-- Attachment #1: Type: text/plain, Size: 1351 bytes --]
Cool :0)
Thanks.
Anyone know how I would draw this in fwbuilder?.
This scenario confuses me. :0(
Thanks a lot.
Best regards,
Svavar O
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Gavin Hamill
Sent: 7. júlí 2004 12:07
To: netfilter@lists.netfilter.org
Subject: Re: DNAT to another Network?
On Wednesday 07 July 2004 12:51, Svavar Örn Eysteinsson wrote:
> Hi everybody.
>
> I have one question about DNAT.
>
> I have a computer foo.com on an ipaddress xxx.xxx.xxx.xxx
>
> Is there any way for me to DNAT all traffic with destination to foo.com
> to another server out-of-town, e.g. computer foobar.com with
> zzz.zzz.zzz.zzz that
> is not on my public network.?
Yes, basically using Computer A to be an IP-level proxy. Note that the
source
address as seen by Computer B will always be that of Computer A. If this is
not a problem, you can use:
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -d xxx.xxx.xxx.xxx -j DNAT
--to zzz.zzz.zzz.zzz
$IPTABLES -A FORWARD -p tcp --dport 80 -d xxx.xxx.xxx.xxx j ACCEPT
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 80 -d zzz.zzz.zzz.zzz -j SNAT
--to xxx.xxx.xxx.xxx
Drop the '--dport 80' bits if you want all traffic, not just HTTP to be
proxied.
Cheers,
Gavin.
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Svavar Örn Eysteinsson (svavar@fiton.is) - Fíton ehf.vcf --]
[-- Type: text/x-vcard; name="Svavar Örn Eysteinsson (svavar@fiton.is) - Fíton ehf.vcf", Size: 467 bytes --]
BEGIN:VCARD
VERSION:2.1
N:Eysteinsson;Svavar;Örn
FN:Svavar Örn Eysteinsson (svavar@fiton.is) - Fíton ehf
ORG:Fíton ehf;IT
TITLE:Kerfisstjóri / System Administrator
TEL;WORK;VOICE:5953600
TEL;CELL;VOICE:8621624
TEL;WORK;FAX:5953649
ADR;WORK:;;Garðastræti 37;RVK;;101;Iceland
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Gar=F0astr=E6ti 37=0D=0ARVK 101=0D=0AIceland
URL;WORK:http://www.fiton.is
EMAIL;PREF;INTERNET:svavar@fiton.is
REV:20040616T133518Z
END:VCARD
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: DNAT to another Network?
2004-07-07 12:22 ` Svavar Örn Eysteinsson
@ 2004-07-07 13:40 ` Gavin Hamill
0 siblings, 0 replies; 5+ messages in thread
From: Gavin Hamill @ 2004-07-07 13:40 UTC (permalink / raw)
To: netfilter
On Wednesday 07 July 2004 13:22, Svavar Örn Eysteinsson wrote:
> Cool :0)
> Thanks.
>
> Anyone know how I would draw this in fwbuilder?.
> This scenario confuses me. :0(
I've never used fwbuilder, but I suspect that a 'black magic' incantation like
this would be beyond the scope of a GUI firewall tool.
To be honest, I'm not entirely sure how it works, but I understand it enough
to be able to adjust the values to suit the scenario, and that's good enough
for me at the moment.
I last used this in a physical server move, so that requests for the old IP
address would be proxied to the new one. It used a lot of bandwidth, but was
a much better solution than simply having the server 'offline' for some
clients for many hours whilst DNS propogated...
Now we use BGP and multiple providers which solves the addressing problem, but
throws up dozens of new problems :)
Cheers,
Gavin.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2004-07-07 13:40 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-07-07 11:51 DNAT to another Network? Svavar Örn Eysteinsson
2004-07-07 12:07 ` Gavin Hamill
2004-07-07 12:22 ` Svavar Örn Eysteinsson
2004-07-07 13:40 ` Gavin Hamill
2004-07-07 12:10 ` Alexander Samad
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.