From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eliezer Croitoru Subject: Re: VoIP conntrack issue Date: Wed, 14 Nov 2012 18:01:47 +0200 Message-ID: <50A3C06B.2050301@ngtech.co.il> References: <201211122202.02082.neal.p.murphy@alum.wpi.edu> <50A3BB0A.9070301@ngtech.co.il> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Jan Engelhardt Cc: =?ISO-8859-1?Q?J=F6rn_Krebs?= , netfilter On 11/14/2012 5:54 PM, Jan Engelhardt wrote: > On Wednesday 2012-11-14 16:38, Eliezer Croitoru wrote: > >> >Or instead just use DNAT with specific ports that will allow any other >> >traffic from this host to others based on basic NAT what called >> >"port-forwarding" > Port forwarding is a terrible misnomer, because the port itself is an > entity belonging to the host, and as such static. NA(P)T, or "port > mapping" if you have to, is just fine and catches the spirit properly. > If you need a car analogy, you can't move the piers/ports either, only > the ships. > > That said, DNAT is exactly what I gave as one way of resolution. From > there, one can use --dport(s) as needed, but then that's not a full 1:1 > NAT anymore. > (I get the feeling my mail was ignored, perhaps you should go through > the text and bottom post like everybody else.) > >>> >> iptables -t nat -A PREROUTING -i internet [-d 114.XX.234.123] \ >>> >> -j DNAT --to 192.168.1.38 Since he has very specific problem I suggested to do that which extends your saying. By the way you spelled it better then me.. Regards, Eliezer -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer ngtech.co.il