Quote:
Originally posted by patcito
Hey all,
I use my PC as my router at home cause I have 2 network cards and no money to buy a special router box but I do have a switch though.
I get the net on my eth1 (which is connected to my aDSL ethernet modem) and I redirect it on eth0 at boot with this command:
The net is working great everywhere.
What I wanna do is redirect port 22 (tcp) from eth1 to one of my LAN PC 192.168.0.2
I tried several things such as this one but it didn't work:
iptables -A FORWARD -p tcp -m tcp -d eth1 -i eth0 --dport 4662 -j ACCEPT
Thanx in advance for your help.
Patcito
PS: I use kernel 2.6.13 with iptables, ipforward and ipchain compiled
|
You need two rules.
iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 192.168.0.2:22
iptables -A FORWARD -p tcp --dport 22 -j ACCEPT
I made them as simple as they get. You can put whatever you want from here (for example -i, -o for interface matching)
The second rule is like the one you mentioned. It accepts traffic that comes at your router to port 22 and is not destined for it.
Why this rule alone doesn't work ? Because when the packet come the destination address is the router's ip, not the NATed
box's ip. So you need to rewrite the traffic to its real destination which is the 192.168.0.2.
this is the opposite of the "-j MASQUERADE" you have. ($iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE)
This rule rewrites every packet that goes off the router so that it has the source ip is the router's one (or else the source ip
would be 192.168.0.X)
The rule i wrote does the opposite stuff. It changes the destination address so that it is the one of the NATed box.
I try to explain it as simple as i can.
If you want more information you can read the tutorial in
http://iptables-tutorial.frozentux.net
It has a great deal of information about the way a packet goes and several chains.