[olug] iptables behind router

Terry td3201 at gmail.com
Tue Sep 14 04:26:06 UTC 2004 

I have a similar setup
                                                                  -----> PC
Cable Modem ---> Linux ---> Wireless Router |
                                                                  -----> Laptop


Cable Modem -- 192.168.0.0/24 --> Wireless Router --- 192.168.1.0/24
---> PC/Laptop

This allows you to create a DMZ type of network in front of your
PC's.....I pretty much just did this to make use of an old DEC
laptop...  ;)

For services in the 192.168.0.0/24 subnet, just create a normal
iptables rule to forward to the "DMZ" host.

I have services in my internal network that I want to get to from the
outside world:
-A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j DNAT
--to-destination 192.168.0.2:3389
-A FORWARD -s 204.26.64.1 -i eth0 -p tcp -m tcp --dport 3389 -j ACCEPT

This is poor in design, mostly just for fun....

On Mon, 13 Sep 2004 21:47:18 -0500, John Dickson <jman at neonramp.com> wrote:
> Multihome comp A with an additional different net and assign IP new net to comp B.
> 
> comp A = 10.10.10.254 and 192.168.1.254
> comp B = 192.168.1.3
> 
> Config DNS
> 
> Just guessing....
> 
> John
> 
> "Daniel Linder" <dan at linder.org> wrote ..
> 
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >
> >
> > William E. Kempf said:
> > > However... I'd like to be able to have [comp A]
> > > forward some ports to [comp B].
> >
> > Jeff gave one solution, here is another possible solution.
> >
> > The IPTables feature has a "Destination Network Address Translation"
> > feature (DNAT) which re-writes the destination of each IP packet to
> > another address when it comes in.  When it goes back out, the IPTables
> > un-does the translation and replaces the (now) source address with what
> > the machine on the outside expects.
> >
> > Example:
> >
> >
> > CompX---{internet}---{Cablemodem}-{router}--+---[CompA]
> >                                             +---[CompB]
> >
> > On Computer A, you would use a line like this:
> > iptables -t nat -A PREROUTING -i eth0 -d <CompA_Addr> -dport <CompaA_port>
> > - -j DNAT --to-destination <CompB_Addr:CompB_port>
> >
> > Just make sure that Computer B has it's route to the Internet set to point
> > back through CompA so CompA can un-do the DNAT...
> >
> > I think this should work... :)
> >
> > Dan
> >
> > - - - - -
> > "I do not fear computer,
> > I fear the lack of them."
> >  -- Isaac Asimov
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.1 (GNU/Linux)
> >
> > iD8DBQFBRk9JNiBNyqUzGb8RApjgAJ9Ns3HjZFGFpYN/onvd9UaFfTpLywCeOyt5
> > Bp/i+0ESA8n2FQzg9MFnlF8=
> > =Px1S
> > -----END PGP SIGNATURE-----
> > _______________________________________________
> > OLUG mailing list
> > OLUG at olug.org
> > http://lists.olug.org/mailman/listinfo/olug
> 
> 
> 
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
> 
> 
>

More information about the OLUG mailing list