From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Martin A. Brown" Date: Wed, 27 Nov 2002 20:40:01 +0000 Subject: Re: [LARTC] transparent PAT Message-Id: List-Id: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Nickola, : Well, in fact I tried a solution with doing DNAT (i.e. destination NAT) = in : both directions - from the client to the server and vice versa. With tcp= dump : I saw that packet are going both diorections, but the client application : refused to accept them. I'm talking about irc. I mean there weren't any : errors, given by the client, just silence. :) OK! Now I'm confused. Why would you need to do DNAT in both directions? I thought you said you were using ipchains? If you have iptables, DNAT is = really the answer.....you would DNAT anything inbound from machine A to=20 machine B. Then let the connection tracking take care of the rest. If you are using DNAT both directions, I'm guessing I don't quite=20 understand your intended configuration or you don't quite understand DNAT. = =20 Either way, if you can use DNAT, read up on how to use DNAT at http://iptables-tutorial.frozentux.net/ and try again. -- OR -- : Ehm, yes, I tried with priorities 200 and the default ones, which ip rule : puts at the end - i.e. around 32765 and below. So, we are agreed....policy based routing probably isn't the answer in=20 this case. : > After you have done: : > # echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind : > can you do something like this: : > # nc -nlvv -p 3001 -s 77.77.77.77 : > Where 77.77.77.77 is an IP not in use anywhere on your box? : Yes, I can, but do I have a way to check that someone is indeed : listening on this port? Except locally, I mean. Beacuse netcat is : binding to the port with no complaints. You should be able to use "netstat -ntl" to display the listening sockets on your system. : > If you were using redir, why doesn't the following work: : > # redir --laddr=3Dx.x.x.x --lport=993 --caddr=3Dy.y.y.y --cport=993 --= transproxy : No, it yells=20 : target: connect: Invalid argument The poor thing is in pain--that's why it's yelping! I don't have any=20 problem with the above command line....are you certain that transproxy=20 support was compiled into your redir? -Martin --=20 Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/