Okay, I have this working on a SuSE box running iptables v1.2.5, but on a gentoo box running iptables 1.2.6a I cannot get it to work. The code, with the exception of ip addresses is the same, and I opened up the system to try to eliminate the "default policy" as the cause of the problem. I'm trying to NAT ssh traffic back into a box on my LAN. The firewall has an alias setup on the external interface for the internal box:
/sbin/ifconfig eth0:0 1.2.3.4 netmask 255.255.255.0 broadcast 1.2.3.255 up and a host route set as well /sbin/route add -host 1.2.3.4 netmask 255.255.255.255 metric 1 netstat and ifconfig show both of these as present. I know Harald mentioned that aliases are deprecated, but am I only the only person who is completely befuddled by the iproute2 stuff? I try to read the documentation and I start drooling (not in a good way, more like in a headwound overly medicated mental patient way) and begin to doubt my reasoning skills. Short story: is there any more simplistic documentation for iproute2 around somewhere? So, I want to NAT the ssh traffic from 1.2.3.4 to the internal address of 192.168.100.1. So, I added the following rules: /usr/sbin/iptables -t nat -A PREROUTING -p tcp -s any/0 --sport 1024:65535 \ -d 1.2.3.4 --dport 22 -j DNAT --to 192.168.100.1:22 /usr/sbin/iptables -t nat -A POSTROUTING -p tcp -s 192.168.100.1 --sport 22 -d any/0 \ --dport 1024:65535 -j SNAT --to 1.2.3.4:22 Now, when I try to ssh into the box from the outside world, nothing happens. I run ssh in verbose mode and it acts as if this is a non-existant host. I never connect. However, if I ssh into the firewall, and then ssh to 192.168.100.1, I have no problem! Even weirder is that I have a small DMZ setup off of an ethernet hub connected to eth2, and I can NAT ssh traffic in and out to a couple of hosts on this segment with no troubles at all. Any ideas? geoffrey -- +++++++++++++++++++++++++++++++++++ Santa Claus, the Tooth Fairy, Windows 2000 ... Some things you just outgrow. +++++++++++++++++++++++++++++++++++
msg02202/pgp00000.pgp
Description: PGP signature
