From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: netfilter@lists.netfilter.org
Subject: Re: Combined Internal/External DNAT question
Date: Mon, 16 May 2005 13:35:34 -0500 [thread overview]
Message-ID: <4288E7F6.3030700@riverviewtech.net> (raw)
In-Reply-To: <42889941.5060507@griffous.net>
> My problem still remains however Grant. I would have to create another DNAT rule to match each existing *real* public DNAT rule that currently exists to DNAT traffic from the Internet. Do you have any further ideas for me? Given that a packet can have both the src and dst IP address rewritten in it's one trip through iptables, it seems to me that it should be possible for two rewrites to happen at once. My thinking it perhaps breaking the nat table into several chains? Any other suggestions, you've been most helpful so far.
The only other thing that comes to mind would be to use iphash (IP)sets of destination IP addresses on your original DNAT rules. This would cause your iptables rule to match based on the destination of your external IP of your firewall OR your external IP of your DSL modem (/router) and DNAT the traffic to the real server on your 2nd internal subnet. Here is an example rule for what you would need:
iptables -t nat -A PREROUTING -m set --set My_IP_Set dst -j DNAT --to-destination <relevant.internal.server>:<tcpservice>
To support this rule you would need to do the following (likely before you issued the above rule):
ipset -N My_IP_Set iphash
ipset -A My_IP_Set 10.0.0.1
ipset -A My_IP_Set <Public IP>
As stated before this should cause your one iptables rule to match packets that are destined to any IP in the ip set "My_IP_Set" and DNAT said packets to the <relevant.internal.server>:<tcpservice>. I know that this is not the multiple passes through the iptables chains like you were asking for, but I think it will provide a solution comparable to the result that you were after. Rather than have a rule that will alter traffic such that it will be caught by another rule and then altered again why not have a rule that will catch either type of traffic.
Grant. . . .
next parent reply other threads:[~2005-05-16 18:35 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <42889941.5060507@griffous.net>
2005-05-16 18:35 ` Taylor, Grant [this message]
2005-05-16 19:27 ` Combined Internal/External DNAT question R. DuFresne
2005-05-16 19:50 ` R. DuFresne
2005-05-16 21:06 ` Taylor, Grant
2005-05-21 0:28 ` filtering in which rules? R. DuFresne
2005-05-21 1:11 ` Daniel Lopes
2005-05-21 2:37 ` Taylor, Grant
2005-05-21 19:24 ` Jason Opperisano
2005-05-19 10:53 Combined Internal/External DNAT question Jonathan Wheeler
-- strict thread matches above, loose matches on Subject: below --
2005-05-15 16:54 Gary W. Smith
2005-05-15 16:35 Gary W. Smith
2005-05-14 5:51 Jonathan Wheeler
2005-05-15 23:56 ` Taylor, Grant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4288E7F6.3030700@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.