On Wed, Jan 7, 2015 at 11:35 AM, shimi <linux...@shimi.net> wrote: > > > On Wed, Jan 7, 2015 at 10:16 AM, Erez D <erez0...@gmail.com> wrote: > >> hello. >> >> I have an iptables question >> >> i have the following >> >> ext_ip -> NAT1 -> linux firewall-> network -> computer1:eth0 .. computer99 >> >> i have no control over NAT1. >> computer1 also can reach the internet via eth1. >> >> linux firewall redirects incoming port 7777 from ext_ip to computer1 >> however i need coputer2 .. computer99 to connect to ext_ip:7777 and also >> reach computer1 >> >> so first i did a NAT rule in linux firewall to redirect all packets from >> internal to ext_ip:7777 to computer1. and did an 'ifconfig eth0:1 $ext_ip >> up' on computer1. >> this works. however it causes computer1 not to be able to access real >> ext_ip via eth1 which is connected to the internet as well >> >> so i though of both doing DNAT and MASQ, which will do the same but will >> not require assiging ext_ip to computer1. >> howerver i do not know how to do that >> >> > If computer1 can access ext_ip:7777, all you need is to allow ip_forward > (/etc/sysctl.conf for permanent, and echo 1 > > /proc/sys/net/ipv4/ip_forward) on computer1, and have all other computers > have a static route to ext_ip via computer1 > > Then, in computer1, > > iptables -t nat -I POSTROUTING -o <interface going towards ext_ip> [ -i > <interface subnet of computers come from> ] -s <subnet of > computers/netmask> -p tcp --dport 7777 -j MASQUERADE > > should do... > > (of course, assuming the iptables FORWARD chain is not dropping those > packets; otherwise you'ld need an ACCEPT rule there, too...) > > HTH, > > -- Shimi > > And on a second read, I think I got you wrong and the purpose was to access computer1 port 7777 (hopefully listening on 0.0.0.0) from computersN by using the external IP from the inside?
If so, did: iptables -I PREROUTING -i <interface of computersN subnet> -s <subnet of computers/netmask> -p tcp --dport -j REDIRECT --to-port 7777 not work? -- Shimi
_______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
