LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-07-2003, 06:04 PM   #1
lambmt
Member
 
Registered: Sep 2003
Distribution: RedHat 9
Posts: 44

Rep: Reputation: 15
Nat Prerouting


I want to host a webserver and ftp server within my network but only have 1 REAL ipaddress i want to prerout to them but i encountered a problem with the FTP part when prerouting the interface i could not connect to ftp outside of my network and ideas on howto prerout only incoming connections on a certain ipaddress?

thanks
 
Old 10-07-2003, 06:39 PM   #2
ToniT
Senior Member
 
Registered: Oct 2003
Location: Zurich, Switzerland
Distribution: Debian/unstable
Posts: 1,357

Rep: Reputation: 47
A sample code that forwards connections made to your nat-computers' ftp-port from the interface IF_INET to the ip 192.168.1.11.
Code:
IF_INET="your internet interface, like eth0"
iptables --table nat --append PREROUTING --in-interface $IF_INET -p tcp --destination-port ftp --jump DNAT --to-destination 192.168.1.11:ftp
iptables --append FORWARD -p tcp --destination 192.168.1.11 --destination-port ftp --jump ACCEPT
This should work atleast on passive ftp mode.
 
Old 10-07-2003, 06:44 PM   #3
ToniT
Senior Member
 
Registered: Oct 2003
Location: Zurich, Switzerland
Distribution: Debian/unstable
Posts: 1,357

Rep: Reputation: 47
And the other question about limiting the scope of the rule to certain ip addresses (not only by interface as done above): "--source" does the job.

Something like
Code:
iptables --append FORWARD --source evil.bastard.somewhere.inter.net --jump DROP
makes the packets sourced from evil.bastard.somewhere.inter.net to be not forwarded but thrown away. (remember the correct ordering of the rules)
 
Old 10-07-2003, 07:13 PM   #4
lambmt
Member
 
Registered: Sep 2003
Distribution: RedHat 9
Posts: 44

Original Poster
Rep: Reputation: 15
what about HTTP?

same thing just replace ftp with http or port 80? 8080?
 
Old 10-07-2003, 07:18 PM   #5
ToniT
Senior Member
 
Registered: Oct 2003
Location: Zurich, Switzerland
Distribution: Debian/unstable
Posts: 1,357

Rep: Reputation: 47
That's correct. You can use service names (found in /etc/services) or raw port numbers in the iptables port matching patterns.
 
Old 10-07-2003, 08:17 PM   #6
lambmt
Member
 
Registered: Sep 2003
Distribution: RedHat 9
Posts: 44

Original Poster
Rep: Reputation: 15
ok when i goto the ip of the NAT in the broser it still goes to the web pages set up on the NAT... i set them up there to see what page would load...when i goto the ip of the web server the corect page is shown....

from inside the nat on the 192.168 network i cannot goto the ip of the NAT it times out.... which.... "i think" is becuase its prerouting something somewhere else i will try flushing nat and and going to the addr with out prerouting to see if it times out....
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
prerouting not function stomach Linux - Software 1 12-19-2005 07:16 PM
Iptables+prerouting niranjan_mr Linux - Networking 1 04-19-2005 12:23 PM
prerouting question bugstein Linux - Networking 1 04-07-2005 09:49 PM
PREROUTING stuff zalmox Linux - Security 1 11-23-2003 06:35 PM
DNAT and prerouting is my only problem closer8888 Linux - Networking 0 02-17-2003 10:46 PM


All times are GMT -5. The time now is 02:49 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration