From: Buddy wu <ejournal4me@gmail.com>
To: Jon Heese <netfilter@jonheese.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: Forward internal packets as though they're external
Date: Thu, 27 Oct 2005 12:17:15 +0800 [thread overview]
Message-ID: <43a0cdcb0510262117v3cd4835p@mail.gmail.com> (raw)
In-Reply-To: <436051E9.2050701@jonheese.com>
Try "/sbin/iptables -A INPUT -d 65.9.134.4 -s 192.168.0.0/24 -p tcp
--dport 6969 -j DNAT 192.168.0.100:6969"
It maybe work, I don't ensure
2005/10/27, Jon Heese <netfilter@jonheese.com>:
> List,
>
> I have a seemingly simple situation here that I have yet to find a
> straightforward answer to, so here goes. I have my router/firewall
> running iptables:
>
> eth0 - 65.9.134.4
> eth1 - 192.168.0.1
>
> Then, say an internal machine, "castor":
>
> eth0 - 192.168.0.100
>
> I'm running a BitTorrent tracker on castor's TCP port 6969, and I'm
> using iptables to forward traffic coming in router's eth0's port 6969 to
> castor's 6969 (nat table, PREROUTING chain). No problem coming in from
> outside.
>
> The problem arises when I want to connect to castor's BitTorrent tracker
> from another machine behind the router (on the 192.168.0.0/24 subnet).
> It's matching the INPUT rule and sending the packet directly to router's
> port 6969, instead of following the FORWARD rule to castor's 6969, and
> while this makes sense to me, I don't want it to do it.
>
> So, the simple solution, I say to myself, is to tell iptables to take
> all packets with destination address of 65.9.134.4 and source address of
> 192.168.0.0/24 and dport 6969 to go to castor's 6969. In English I
> think I have it fine. Finding the right syntax/logic in iptablesish is
> where I get tripped up. I can match the rule fine, I just don't know
> what action/jump I need to specify to make it redirect.
>
> The rule is:
>
> /sbin/iptables -A INPUT -d 65.9.134.4 -s 192.168.0.0/24 -p tcp --dport 6969
>
> And if I add "-j DROP" or "-j ACCEPT", I get the appropriate action in
> my testing situation. Now, the question:
>
> What do I have to specify after the above rule definition to either a)
> get iptables to redirect this packet to my existing nat/PREROUTING chain
> (which may not be possible), or b) forward it directly to a specified
> IP:port?
>
> If you need any more specifics or code or if I posted this to the wrong
> list, just let me know. Thanks in advance.
>
> Regards,
> Jon Heese
>
>
next prev parent reply other threads:[~2005-10-27 4:17 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-27 4:04 Forward internal packets as though they're external Jon Heese
2005-10-27 4:17 ` Buddy wu [this message]
2005-10-27 12:50 ` Jon Heese
2005-10-27 4:51 ` /dev/rob0
2005-10-27 13:07 ` Jon Heese
2005-10-27 14:38 ` /dev/rob0
2005-10-27 21:25 ` Jon Heese
2005-10-27 21:26 ` /dev/rob0
2005-10-27 23:32 ` Jon Heese
2005-10-27 23:38 ` Seferovic Edvin
[not found] <200510272238.j9RMcMFd006766@ajax.jonheese.com>
2005-10-27 23:49 ` Jon Heese
2005-10-27 23:55 ` Seferovic Edvin
[not found] <200510272255.j9RMtouv006919@ajax.jonheese.com>
2005-10-28 0:01 ` Jon Heese
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43a0cdcb0510262117v3cd4835p@mail.gmail.com \
--to=ejournal4me@gmail.com \
--cc=netfilter@jonheese.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox