Hey,
I haven't had time lately, so am writing so late. The answer to my question was easier than I thought (thanks corp769, for getting me back on iptables track!).
I present briefly my issue once again:
1) When I am at my work, I have local access to some ftp and ssh servers. In some applications I have predefined ip's and ports and don't want to mess with them.
2) When I get back to my place, I would like not to change anything (or almost anything) and be able to access those resources mentioned earlier. The problem is I am not in the local network anymore. Moreover, my local network is behind the firewall, thus the ports are changed as well (port forwarding on the gateway in my work place).
Fortunately, iptables comes to the rescue. What I did is described below:
1) I have to mention I am configuring NAT on the same machine where I am making the requests - this has consequences in making changes in OUTPUT chain. If the case was some other computer, and the nat was on its gateway - then nat table PREROUTING and POSTROUTING tables would have to be altered.
2) enable port forwarding. This may be done in few ways. I want it to last only for a current session, so I write value 1 into /proc/sys/net/ipv4/ip_forward. Taking into account my system is ubuntu, I did (root privileges are needed to write to aforementioned file):
Code:
sudo -i
echo "1" > /proc/sys/net/ipv4/ip_forward
exit
3) Now I have to add some rules to OUTPUT chain of nat table. Let assume at work, in the local network, I made a request to ftp server with local address 192.168.1.AA standard port aa. Moreover the router there has WAN ip of UU.VV.XX.YY and port bb is forwarded to my ftp server, port aa.
What is needed to be done is to add following rule:
Code:
sudo iptables -t nat -p TCP -A OUTPUT -d 192.168.1.AA --dport aa -j DNAT --to-destination UU.VV.XX.YY:bb
Literally, it means "add the rule to the nat table, OUTPUT chain - it affects only those packets that are generated within the nat computer. Moreover, these packets destination address has to be 192.168.1.AA, whereas port aa. The fields destination address and port are going to be changed into UU.VV.XX.YY and bb, respectively."
Of course, the inverse rules are added automatically, so when the server sends responses, they are altered the other way round.
I have written a script, which has some of these mapping rules and anytime I am home, wanting to get any of the work resources, I ran it and then use clients as if I was in the work intranet.
Hope this helps someone else. While looking for this answer I found following resources very helpful:
1) Very helpful to start from -
http://www.karlrupp.net/en/computer/nat_tutorial
2) Well described, although old one -
http://www.netfilter.org/documentati.../NAT-HOWTO.txt
3) Nice one and has useful example scripts -
http://www.linuxhomenetworking.com/w...Using_iptables
Best regards,
Krzysztow.