LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-03-2003, 04:46 PM   #1
hawk4eye
Member
 
Registered: Jul 2002
Location: Lacon, IL
Distribution: Slackware
Posts: 35

Rep: Reputation: 15
Exclamation IPTABLES --to-destination muliple ip:port


The man page is not very clear to me on howto do POSTROUTING of port to some internal machines. What I am trying to do is port forward 2090 to some of my intranet machines. Man page says this

DNAT
--to-destination ipaddr[-ipaddr][ort-port

could someone be able to show me the correct way to write
this. This is what I have and it works for one machine only.

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2090 -j DNAT --to-destination 192.168.1.2:2090

man page says this, but I recieved an error about the first ip.
iptables -t nat -A POSTROUTING -i eth0 -p tcp --dport 2090 -j DNAT --to-destination 192.168.1.2 -192.168.1.3:2090


I tried this and it has no errors but it don't work.

iptables -t nat -A POSTROUTING -i eth0 -p tcp --dport 2090 -j DNAT --to-destination 192.168.1.2-192.168.1.3:2090

help will be !!!



 
Old 02-03-2003, 06:28 PM   #2
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Rep: Reputation: 56
I don't see how this can be possible

if you give a range of ports it should work

192.168.1.2-192.168.1.3:2090-2091



basically I know what you are trying to do. If a server requires a certain port to make a connection on, you can only have one connection to it per ip address.

Last edited by DavidPhillips; 02-03-2003 at 06:31 PM.
 
Old 02-05-2003, 02:58 PM   #3
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
Your first rule is correct...
DNAT will go to one machine...
using the PREROUTING chain, notice the 'PRE'...

The other two rules are "POSTROUTING" for packets leaving the box... notice the 'POST'... DNAT doesn't work in this chain.

What are you trying to achieve?
 
Old 02-06-2003, 05:08 AM   #4
Noerr
Member
 
Registered: May 2002
Location: Dalec, HU
Distribution: Redhat 7.3
Posts: 696

Rep: Reputation: 30
you don't need multiport
just add PREROUTING entryies for every ip but I doubt it will work fine, ususaly thing are done so that you map different port at server for each client (but your software need to have option to alter ports) ie
2029 get routed to 192.168.1.10:2028
2030 gets routed to 192.168.1.10.2028
and so on
 
Old 02-07-2003, 04:59 AM   #5
hawk4eye
Member
 
Registered: Jul 2002
Location: Lacon, IL
Distribution: Slackware
Posts: 35

Original Poster
Rep: Reputation: 15
peter_robb you are right, I have them right in my scvript. I just placed them wrong here, sorry.

I figured that adding this line would enable the port open for all machines on the network.

iptables -A INPUT -p tcp -syn --destination-port 2090 -j ACCEPT

but hey I don't have to open port 21 to ftp fron ie whats up here?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
change port using destination alaios Linux - Networking 3 03-01-2005 04:06 AM
How to connect server with muliple port via socket husniteja Programming 0 08-21-2004 02:25 AM
--destination-ports port[,port[,port...]] KevinGuy Linux - Networking 1 03-16-2004 06:06 PM
iptables logging destination Strikeman Linux - Security 1 03-12-2004 12:45 PM
iptables - source ? destination ? From where ? Dek Linux - Networking 3 04-30-2003 11:43 PM


All times are GMT -5. The time now is 03:18 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration