if you are dnating from 192.168.0.1:80 to whatever:80 you do not need to say port 80 again....whatever port you list as destination, as long as you need to dnat to the same port, will be the port traffic is dnated to.
jd also rules needed.... iptables -A PREROUTING -d 192.168.0.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.8 iptables -A FORWARD -d 192.168.0.8 -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -s 192.168.0.8 -m state --state RELATED,ESTABLISHED >From: Marc Carter <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: simple, but not for me >Date: Sun, 30 Jun 2002 12:48:37 -0400 >MIME-Version: 1.0 >Received: from [198.186.203.85] by hotmail.com (3.2) with ESMTP id >MHotMailBEE882880019400431A4C6BACB55895D0; Sun, 30 Jun 2002 09:53:32 -0700 >Received: from va.samba.org (localhost [127.0.0.1])by lists.samba.org >(Postfix) with ESMTPid 879E9416F; Sun, 30 Jun 2002 09:53:30 -0700 (PDT) >Received: from mail.speakeasy.net (mail14.speakeasy.net [216.254.0.214])by >lists.samba.org (Postfix) with ESMTP id 956F7411Bfor ><[EMAIL PROTECTED]>; Sun, 30 Jun 2002 09:52:06 -0700 (PDT) >Received: (qmail 20398 invoked from network); 30 Jun 2002 16:51:59 -0000 >Received: from unknown (HELO speakeasy.net) ([66.93.84.18]) >(envelope-sender <[EMAIL PROTECTED]>) by >mail14.speakeasy.net (qmail-ldap-1.03) with RC4-MD5 encrypted SMTP >for <[EMAIL PROTECTED]>; 30 Jun 2002 16:51:59 -0000 >From [EMAIL PROTECTED] Sun, 30 Jun 2002 09:54:28 -0700 >Delivered-To: [EMAIL PROTECTED] >Message-ID: <[EMAIL PROTECTED]> >User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc3) >Gecko/20020523 >References: <[EMAIL PROTECTED]> >Sender: [EMAIL PROTECTED] >Errors-To: [EMAIL PROTECTED] >X-BeenThere: [EMAIL PROTECTED] >X-Mailman-Version: 2.0.8 >Precedence: bulk >List-Help: <mailto:[EMAIL PROTECTED]?subject=help> >List-Post: <mailto:[EMAIL PROTECTED]> >List-Subscribe: ><http://lists.samba.org/listinfo/netfilter>,<mailto:[EMAIL PROTECTED]?subject=subscribe> >List-Id: netfilter user discussion list <netfilter.lists.samba.org> >List-Unsubscribe: ><http://lists.samba.org/listinfo/netfilter>,<mailto:[EMAIL PROTECTED]?subject=unsubscribe> >List-Archive: <http://lists.samba.org/pipermail/netfilter/> > > > >[EMAIL PROTECTED] wrote: > >[snip] > > > This is what you need to port forward (assuming standard ports): > > > > #Forward web services to internal host iptables -t nat -A PREROUTING > > -p tcp -d $extip --dport 80 -j DNAT--to 192.168.0.8:80 > > > > #Forward ssh to internal host iptables -t nat -A PREROUTING -p tcp -d > > $extip --dport 22 -j DNAT--to 192.168.0.8:22 > > > > #Forward mysql to internal host iptables -t nat -A PREROUTING -p tcp > > -d $extip --dport 3306 -j DNAT--to 192.168.0.8:3306 > > > > Remember to shut off the above services on your firewall box. > >This last has me curious. If I shut off ssh (port 22) on the firewall, >then I can't get into it to work on it (it's headless and far far away >from a chair -- and just now what seems more important, a fan). > >Right now, ssh into the firewall box from the ext_if goes straight to >one of the internal machines (but only allowed from one other trusted >machine, 1.2.3.4 in the e.g.), but an ssh request from the internal >network (into the int_if) stays on the firewall box. > >Sort of looks like this: > >All chains are flushed and set to default DROP > >The nat chain rules are > >$IPTABLES -t nat -A PREROUTING -i $EXT_IF -s 1.2.3.4 \ > -d my.static.ip.address -p tcp --dport 22 -j DNAT \ > --to 192.168.1.2 > >$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s 192.168.1.2 \ > -p tcp --sport 22 -j SNAT --to my.static.ip.address > >The FORWARD chain rule allows port 22 (originating from trusted machine) >from the firewall to the internal box and then drops the rest > >$IPTABLES -A FORWARD -s 1.2.3.4 -d 192.168.1.2 -p tcp -j ACCEPT >$IPTABLES -A FORWARD -p tcp --dport 22 -j DROP > >And then an INPUT rule to allow getting into the box from the internal >network > >$IPTABLES -A INPUT -s $INT_NET -i INT_IF -j ACCEPT > >but disallows spoofing from the outside > >$IPTABLES -A INPUT -s INT_NET -i EXT_IF -j DROP > >This seems to work. If anyone sees anything stupid here, let me know. >I hate being stupid. > >Thanks. > >m > > > >-- >Marc Carter >Assistant Professor, Itinerant Scientist, > Inveterate Skeptic, Former Surfer. >--- >"You can't have a market system that really depends >on everybody behaving as saints." >------ >Ken Rose, OSU's National Regulatory Research Institute > > thanks, jd [EMAIL PROTECTED] http://www.taproot.bz _________________________________________________________________ Join the world�s largest e-mail service with MSN Hotmail. http://www.hotmail.com
