[Firehol-support] Re: firehol port forwarding
Thomas Arendsen Hein
thomas at intevation.de
Mon Jul 26 11:50:41 CEST 2004
* Daniel Pittman <daniel at rimspace.net> [20040725 02:13]:
> On 25 Jul 2004, techHome at acn.gr wrote:
> > I also have a forwarding issue. The subnet on my eth1 (LAN) side is
> > 10.0.0.0 and I want to forward all incoming connections at my server in
> > port ..say.. 3333 to port 3333 on another computer on the Local Lan,
> > however this doesn't seem to work:
> >
> > nat redirect-to 3333 inface eth1 src 10.0.0.25/24 proto tcp dport 3333
>
> If I understand correctly, you want to NAT packets from one machine on a
> lan to another machine on the same LAN, right?
If this is the case, the solution should be:
lanip=10.0.0.1; lannet=10.0.0.0/24; lanif=eth1
dnat to "10.0.0.25" dst "$lanip" proto tcp dport "3333"
snat to "$lanip" outface "$lanif" src "$lannet" dst "$lannet"
And you need an additional router statement allowing this traffic:
router lan2lan inface "$lanif" outface "$lanif" src "$lannet" dst "$lannet"
route all accept
> Basically, this will not work right without additional work, because of
> the way packet paths are resolved.
>
> When a machine wants to send a packet from 10.0.0.1 to 10.0.0.15, and
> that network is on the same subnet, it does an 'arp' for the machine
> holding the address, then sends the packet direct to that machine.
>
> NAT only works when *both* directions of a connection pass through the
> NAT machine.
The additional work is the 'snat' line which replaces the
originating IP with the IP of the server. Because of this the target
machine sends the replies back through the server which handles them
using the connection tracker.
If you want to handle all this without iptables, you can use the
'rinetd' package.
Thomas
--
Email: thomas at intevation.de
http://intevation.de/~thomas/
More information about the Firehol-support
mailing list