On Wed, Jan 7, 2015 at 11:41 AM, shimi <linux...@shimi.net> wrote: > > > On Wed, Jan 7, 2015 at 11:35 AM, shimi <linux...@shimi.net> wrote: > >> >> >> On Wed, Jan 7, 2015 at 10:16 AM, Erez D <erez0...@gmail.com> wrote: >> >>> hello. >>> >>> I have an iptables question >>> >>> i have the following >>> >>> ext_ip -> NAT1 -> linux firewall-> network -> computer1:eth0 .. >>> computer99 >>> >>> i have no control over NAT1. >>> computer1 also can reach the internet via eth1. >>> >>> linux firewall redirects incoming port 7777 from ext_ip to computer1 >>> however i need coputer2 .. computer99 to connect to ext_ip:7777 and also >>> reach computer1 >>> >>> so first i did a NAT rule in linux firewall to redirect all packets from >>> internal to ext_ip:7777 to computer1. and did an 'ifconfig eth0:1 $ext_ip >>> up' on computer1. >>> this works. however it causes computer1 not to be able to access real >>> ext_ip via eth1 which is connected to the internet as well >>> >>> so i though of both doing DNAT and MASQ, which will do the same but will >>> not require assiging ext_ip to computer1. >>> howerver i do not know how to do that >>> >>> >> If computer1 can access ext_ip:7777, all you need is to allow ip_forward >> (/etc/sysctl.conf for permanent, and echo 1 > >> /proc/sys/net/ipv4/ip_forward) on computer1, and have all other computers >> have a static route to ext_ip via computer1 >> >> Then, in computer1, >> >> iptables -t nat -I POSTROUTING -o <interface going towards ext_ip> [ -i >> <interface subnet of computers come from> ] -s <subnet of >> computers/netmask> -p tcp --dport 7777 -j MASQUERADE >> >> should do... >> >> (of course, assuming the iptables FORWARD chain is not dropping those >> packets; otherwise you'ld need an ACCEPT rule there, too...) >> >> HTH, >> >> -- Shimi >> >> > And on a second read, I think I got you wrong and the purpose was to > access computer1 port 7777 (hopefully listening on 0.0.0.0) from computersN > by using the external IP from the inside? > yes
> > If so, did: > > couputerN default route is the linux firewall. without any rules on linux firewall, it will forward packets from computer1 destined to ext_ip to NAT1. and they will not reach computer1 att all, so rules on computer 1 are useless. Doing a DNAT on linux firewall will direct the packets to computer1, however computer 1 will know comuterN and will reply directly without going through linux firewall, and computer1 will not match the packets to the original connection. > iptables -I PREROUTING -i <interface of computersN subnet> -s <subnet of > computers/netmask> -p tcp --dport -j REDIRECT --to-port 7777 > > not work? > > -- Shimi >
_______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
