I've recently changed ISPs and so, out went my old BT Home Hub 2, to be replaced by a D-Link ADSL router. The D-Link has a much faster administration interface than the old Home Hub, but its port forwarding options were greatly limited: it can't forward to a different port than the external port, and has a maximum of 12 rules. I have a limited knowledge of iptables/netfilter, but the manpage explains it all clearly. After a few mugs of tea and some scribbling on scraps of paper, I was able to write a few iptables rules that did the following:
1. Redirect incoming packets to port 80 to port 8080, when they come from the router (my webserver uses virtual sites and it expects 'stuff from outside' to arrive on port 8080).
2. Send incoming packets to port 81 and 8081 to another host's port 80 (the 'other host' is a Linksys WVC54G Internet video camera).
I needed to set the router to direct port 8080 to the webserver - with the iptables rules - and to also send data from ports 8081 and 81 to the webserver.
In the following excerpt from the script, environment variable SUDO is 'sudo' if the script is running as an administrative user, and empty if it's running as root. IPT_OPTS is '-v' ('be verbose') or empty. IPTABLES is 'iptables'. MAC_SOURCE is the MAC address of the router, e.g. 00:11:22:33:44:55.
Kernel modules
xt_multiport and
xt_mac need to be loaded.
Code:
# Send all packets from MAC_SOURCE port 80 to local port 8080
${SUDO} ${IPTABLES} ${IPT_OPTS} -t nat -A PREROUTING -p tcp -m mac --mac-source ${MAC_SOURCE} --dport 80 -j DNAT --to-destination :8080
# Send all packets from MAC_SOURCE ports 81 and 8081 to the camera's port 80
${SUDO} ${IPTABLES} ${IPT_OPTS} -t nat -A PREROUTING -p tcp -m mac --mac-source ${MAC_SOURCE} -m multiport --dports 81,8081 -j DNAT --to-destination 192.168.135.18:80
Those two lines saved me
so much hassle!
Lex
