Subj : Re: IPTables forwarding rule To : alt.linux,alt.os.linux,comp.os.linux,aus.computers.linux From : caliban Date : Fri Jul 23 2004 12:47 am Harry Phillips wrote in message news:... > I have a client with a firewall device that has a limited interface to > iptables (I cannot ssh into it either). All you can do is forward a port > to another IP address, you can't restrict it to a certain source IP. > > I have set it up to forward port 22 to my Linux box, that then has > IPTables to accept anything local and drop everything else except my > ADSL modem IP. > > Now I want to do a similar thing except forward the packets to another > internal host. I have no idea where to start and what rules to use. The > setup is: > > _____________________ > | (firewall device) | |---> |192.168.1.50| > internet <----> |ext_ip 192.168.1.254| <---|---> |192.168.1.1 | > |_____________________| |---> |192.168.1.x | > > > I want the Linux box (192.168.1.1) to forward port x to 192.168.1.50, > but only if the source is my ADSL modem IP. > > Do I use the NAT and PREROUTING, POSTROUTING, FORWARD? I have examples > from the Internet if the Linux box and the host it is forwarding to are > on different networks but not when they are on the same network. I assume you tried DNAT on the PREROUTING chain? The problem is probably with routing -- your packets from ADSL modem are going to the linux box and having their destination IP rewritten as .1.50 but the source IP remains ADSL so when the .1.50 box replies to these it will send the packets to ADSL and thus the default router (.1.254) knowing nothing of this connection drops them. The trick is to both DNAT on the PREROUTING chain and SNAT on the POSTROUTING chain (twice nat?) eg $IT -t nat -A PREROUTING -j DNAT -p tcp -s $ADSL -d $ALIAS --dport $PORT --to-destination=192.168.1.50:$PORT $IT -t nat -A POSTROUTING -j SNAT -p tcp -s $ADSL -d 192.168.1.50 --dport $PORT --to-source=$ALIAS Where ALIAS is an IP alias for your linux box and ADSL is your modem IP. Good luck. .