Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Depends on what you mean by "ip range"..
If you use a single ip number and a netmask, it will convert the single number to the correct network number, then the whole subnet would be diverted by the rule as you describe.
So everything going to tcp port 8500 at the range 10.0.2.1 to 254 would be redirected to the external number port 23.
It's always a good practice to use interface names if possible to make sure the correct packets are being redirected.
Originally posted by phatboyz If I use this command,
iptables -t nat -A PREROUTING --dst 10.0.2.1/24 -p tcp --dport 8500 -j DNAT --to-destination 62.xxx.xxx.xxx:23
Will that route all traffice from IP range 10.0.2.1 on port 8500 to 62.xxx.xxx.xxx on port 23
I think there is some problem of your command, I think it should be:
iptables -t nat -A PRESROUTING -d 62.xx.xx.xx -p tcp --dport 23 -j DNAT --to-destination 10.0.2.1:8500
to make: Internet --- (request) ---> Server_in_LAN
and:
iptables -t nat -A POSTROUTING -s 10.0.2.1 -p tcp --sport 8500 -j SNAT --to-source 62.xx.xx.xx:23
to make: Internet <--- (respond) --- Server_in_LAN
and:
iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -j SNAT
to make your LAN connect to Internet with NAT.
Basically this is question that I has asked before when we have problems with external addresses change. (Cisco VPN pix 501) When a route drops it causes all sorts of problems for the clients. I can allways get my link back up as I can log everyone off the connection and then change the config in the pix and then boot it back up. This doens't work when I am in the US and then I have a site in the UK that need to be rebooted. I can not do that untill certain hours. The work around is to have the down site connect to me as I can get the route back up. If I have them connect to the nix sever and then have it redirect back across the VPN to the AS400 server. The first problem was the AS400 uses port 23. (SSH) So I am going to have it inniate the connection on a nonstandard port and then redirect to 23. I have no clue as to what I really need to do so if someone can give me good examples to go by I would like that.
What you've suggested for an iptables rule works ok..
But if the real problem is flakey routes, you'd be better to use dns to supply a different route. (Assuming of course clients are connecting by url rather than ip number)
If you set the default TTL of your dns servers to say 10 mins, you can refresh the ip numbers for an outage..
You would need dns servers close to your clients to make sure there is less delay..
We use Ip numbers and the host file. We do not have a internal DNS server.
Also this is all internal there is not routing across the internet. We have a VPN so I have 7 sites that I can browse with IP ranges. The nix box wont know its comming from a differen't ip range cause of the pix doing NAT. I just need to have all connections that come into eth0 on port 8500 be reditected to 23 on another ip address.
I hope this will help.
I only started using IP tables a few days ago. I have 2 machines, one running linux another windows server 2003, which was till a few days ago doing the NAT. Now its the linux machine doing it and I made a script for the NAT and a few other things. Among those I added a line to the script to redirect any connection recieved on ports 10000:10009 to the windows machine ( those r the ports that I have configured to my torrent client use ). To do that I have added the line:
Code:
iptables -A INPUT -p tcp --destination-port 10000:10009 -m state --state NEW,ESTABLISHED -j ACCEPT;
iptables -t nat -A PREROUTING -i eth0 -p tcp --destination-port 10000:10009 -j DNAT --to 192.168.0.2;
The first line allow the linux machine to accept connection on those ports the second line redirect those connections to the windows machine...I think
Anyway it worked.
I'm not sure if it was something like this that u wanted tho I hope it was
[EDIT]eth0 is the interface connected to internet eth1 the interface with the local network, linux local network IP = 192.168.0.1 and windows machine IP = 192.168.0.2, I'm using masquerade since I have dynamic IP[/EDIT]
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
