From: Jon Heese <netfilter@jonheese.com>
To: netfilter@lists.netfilter.org
Subject: Re: Forward internal packets as though they're external
Date: Thu, 27 Oct 2005 08:50:42 -0400 [thread overview]
Message-ID: <4360CD22.5050408@jonheese.com> (raw)
In-Reply-To: <43a0cdcb0510262117v3cd4835p@mail.gmail.com>
Nope, that's the first thing I tried. From what I can tell, the DNAT
jump target is not valid in the INPUT chain (which makes sense).
Regards,
Jon Heese
Buddy wu wrote:
> Try "/sbin/iptables -A INPUT -d 65.9.134.4 -s 192.168.0.0/24 -p tcp
> --dport 6969 -j DNAT 192.168.0.100:6969"
> It maybe work, I don't ensure
>
> 2005/10/27, Jon Heese <netfilter@jonheese.com>:
>
>>List,
>>
>>I have a seemingly simple situation here that I have yet to find a
>>straightforward answer to, so here goes. I have my router/firewall
>>running iptables:
>>
>>eth0 - 65.9.134.4
>>eth1 - 192.168.0.1
>>
>>Then, say an internal machine, "castor":
>>
>>eth0 - 192.168.0.100
>>
>>I'm running a BitTorrent tracker on castor's TCP port 6969, and I'm
>>using iptables to forward traffic coming in router's eth0's port 6969 to
>>castor's 6969 (nat table, PREROUTING chain). No problem coming in from
>>outside.
>>
>>The problem arises when I want to connect to castor's BitTorrent tracker
>>from another machine behind the router (on the 192.168.0.0/24 subnet).
>>It's matching the INPUT rule and sending the packet directly to router's
>>port 6969, instead of following the FORWARD rule to castor's 6969, and
>>while this makes sense to me, I don't want it to do it.
>>
>>So, the simple solution, I say to myself, is to tell iptables to take
>>all packets with destination address of 65.9.134.4 and source address of
>>192.168.0.0/24 and dport 6969 to go to castor's 6969. In English I
>>think I have it fine. Finding the right syntax/logic in iptablesish is
>>where I get tripped up. I can match the rule fine, I just don't know
>>what action/jump I need to specify to make it redirect.
>>
>>The rule is:
>>
>>/sbin/iptables -A INPUT -d 65.9.134.4 -s 192.168.0.0/24 -p tcp --dport 6969
>>
>>And if I add "-j DROP" or "-j ACCEPT", I get the appropriate action in
>>my testing situation. Now, the question:
>>
>>What do I have to specify after the above rule definition to either a)
>>get iptables to redirect this packet to my existing nat/PREROUTING chain
>>(which may not be possible), or b) forward it directly to a specified
>>IP:port?
>>
>>If you need any more specifics or code or if I posted this to the wrong
>>list, just let me know. Thanks in advance.
>>
>>Regards,
>>Jon Heese
>>
>>
next prev parent reply other threads:[~2005-10-27 12:50 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-27 4:04 Forward internal packets as though they're external Jon Heese
2005-10-27 4:17 ` Buddy wu
2005-10-27 12:50 ` Jon Heese [this message]
2005-10-27 4:51 ` /dev/rob0
2005-10-27 13:07 ` Jon Heese
2005-10-27 14:38 ` /dev/rob0
2005-10-27 21:25 ` Jon Heese
2005-10-27 21:26 ` /dev/rob0
2005-10-27 23:32 ` Jon Heese
2005-10-27 23:38 ` Seferovic Edvin
[not found] <200510272238.j9RMcMFd006766@ajax.jonheese.com>
2005-10-27 23:49 ` Jon Heese
2005-10-27 23:55 ` Seferovic Edvin
[not found] <200510272255.j9RMtouv006919@ajax.jonheese.com>
2005-10-28 0:01 ` Jon Heese
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4360CD22.5050408@jonheese.com \
--to=netfilter@jonheese.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox