* Paul Johnson (baloo@ursine.dyndns.org) [020603 08:34]: > iptables just confuses me at times. > > I'm trying to figure out how to forward all packets hitting this machine > on one port to a port on another machine inside my network. I'm kinda > stumped. $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport $PORT \ -j DNAT --to-destination $OTHER_IP Should do it. The reason I give $EXT_IF up there is I'm assuming that the machine doing the DNAT is a gateway of some sort. If you're trying to get it working for machines within your network, it won't work: Machine A - just some machine on your network Machine D - the machine doing the DNAT Machine B - the $OTHER_IP listed above When A tries to connect to D on $PORT, the packets are re-sent to B. B sees a connection from A, and tries to respond to A, but A says "wtf? I'm not trying to talk to B!" and sends an RST, meanwhile waiting, retransmitting, and timing-out trying to connect to D. I works when D is a gateway between the machines because the return packets from B to A go through D where they are un-natted so that A sees them as part of the original connection. Perhaps you already know all this, but your exact setup was unclear in your original post. We can probably tell you exactly what's not working and how to make it better if you give us: a little bit of the network topology you're trying to use. (i.e. "D is a gateway on the Internet, B is a machine in my private 192.168 LAN, and I want to DNAT requests coming from other Internet hosts", or something equally brief, but accurate to your setup) What commands you have tried and what results and/or log entries (if any) you have gotten. A bit of info about the rest of your firewall setup. Are you filtering as well? If D is a gateway as above, is all of the necessary traffic being allowed through FORWARD ? good times, Vineet -- Currently seeking opportunities in the SF Bay Area Please see http://www.doorstop.net/resume.shtml
Attachment:
pgpIdbeSZ9lnY.pgp
Description: PGP signature