Yes, you must do 3 things to properly map ports to another address using only one network interface (DNAT on the same interface), that is when you only have one interface on the iptables machine:
- change the destination IP inside each packet before routing to the end machine's IP
- change the source IP in each packet after routing to the iptables machine's IP (so that the end machine will return the IP to the iptables machine, and not the initial one)
- enable IP forwarding on the iptables machine
Here's the complete command set, considering that 64.62.231.86 is the iptables machine:
Code:
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 2106 -j DNAT --to-destination 66.182.217.197:2106
iptables -t nat -A POSTROUTING -s ! 64.62.231.86 -d 66.182.217.197 -j SNAT --to-source 64.62.231.86
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD ACCEPT
The first line says: all packets that enter the iptables machine on port 2106 of any IP on the iptables machine (you can restrict this to only one IP if you want) are to go to 66.182.217.197 port 2106
The second line say: all packets that leave the iptables machine and that have a source IP address diffferent from the iptables machine's IP are to be changed to the iptables machine IP. If you don't do this then the end machine at 66.182.217.197 will simply reply to the initial machine and not the iptables machine and the packet will get dropped/rejected.
The last two lines enable IP forwarding on the interfaces of the iptables machine. Without that nothing works. To have ip forwarding enabled after reboot you need to edit some /etc conf files. For debian it's /etc/network/options (set ip_forward=yes), for redhat it's /etc/sysconfig/network (set FORWARD_IPV4=true), for gentoo it's /etc/sysctl.conf (set net.ipv4.ip_forward=1), google for other Distros
If you want more details and explanations:
http://www.idallen.com/oclug/2004_nat/dnat.txt
FAQ
Search
Members
Register
Login [ Anonymous ]
