On Monday 18 March 2002 5:22 pm, Brian Capouch wrote: > I want to NAT a private IP addr, 192.168.1.2 (as if that mattered) out > to the world and then back in again, so that I can remotely bring up an > X window for a demo I have to do "outside" later in the week.
iptables -A PREROUTING -t nat -d 111.222.333.444 -j DNAT --to 192.168.1.2 iptables -A POSTROUTING -t nat -s 192.168.1.2 -j SNAT --to 111.222.333.444 The first rule changes packets coming in from the Internet which were addressed to 111.222.333.444 and sends them to 192.168.1.2 The second rule changes packets which come from 192.168.1.2 and makes them look like they came from 111.222.333.444 Don't forget the appropriate FORWARD rules to let the packets through as well: iptables -A FORWARD -s 192.168.1.2 -j ACCEPT iptables -A FORWARD -d 192.168.1.2 -j ACCEPT Remember that your NATing box needs to have 111.222.333.444 added to its external interface if this address is in the same network range as the NAT machine's real external address. If it's in a different network range, then you just need to have packets for 111.222.333.444 routed from the previous router, to use the NAT box as the next hop. These rules will allow all packets, any protocol (TCP, UDP, ICMP, ESP...) to get through the Firewall, to & from ANY external address - so be careful about security on the "target" machine, otherwise you might find it's a target for more than you expected :-) Hope this helps, Antony.
