Hi Guys

First let me say that I am a COMPLETE linux noob .. but my MS DOS days have me feeling nostalgic so i tried some command lines in a nice fresh linux install and the power is growing on me ..

I have a win2k server with VMWare IPCop machine .. but this shouldnt be too relevant .. the basics of what the setup is and what functionality I need is mostly irrelevant to exaclty how the linux is setup .. as it should just be an iptables command from what I understand.

I have a linux firewall (on the win2k server - vmware) which has 1 ethernet connection (eth0) and 4 ppp connections (ppp0,ppp1,ppp2,ppp3) all connected to different DSL ISP's (for differing latency and service level agreements). What I require is to be able to catch all traffic destined for a particular port and select which port and ppp connection it should use (basically port forwarding in reverse) .. for example .. i would like all traffic destined for port 2000 to be routed down ppp0 on port 1000 (to the same IP) ...and all port 2001 traffic to be routed to ppp1 on port 1000 (same IP) etc ...

I know this cant be rocket science .. but for the life of me I cant seem to get a good grip on iptables and the full command line usage..

If someone could help me with the correct command line it would be much appreciated ..

Regards

check out this link http://www.netfilter.org/documentati...s-HOWTO-4.html , most specifically the ROUTE target. here you can just use iptables to directly influence the routing with that new(ish) target:

iptables -A PREROUTING -t mangle -i eth0 -p tcp --dport 22 -j ROUTE --oif ppp2

for example. if you don't have the ROUTE target available you would use the MARK target to mark those matching packets with a number. this number is then translated to one of numerous routing tables, which you can see an (old) example of here... http://www.linuxhorizon.ro/iproute2.html

thx .. but I dont see a way to select the outgoing port ??? did I miss something

yes you did, the --dport (destination port) option.

apologies . I didnt realise that was the instruction to send .. I assumed it was the instruction to match the traffic ..

I assume I use -sport for the source port then .. I will try and let you know if i'm successfull

thx again

well you're not asking to change the port at all, so the port you match is the port it stays on. oh... hang on, you did say change the port too... erm... well that would be the NAT table as opposed to the mangle table as a seperate command. Seems that the nat table occurs after the mangle on prerouting, (http://www.faqs.org/docs/iptables/tr...goftables.html) which you could use to your advantage, or not... depends on your situation, but a standard NAT command matching whatever you want. exactly the same criteria as for the mangle would make sense:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j REDIRECT --to-port 2222

thx for the clarification .. the link you provided is excellent reading material .. highly recommended for somebody wanting to understand linux routing ....

Armed with my new knowledge and html link .. I will give it a more educated bash and let you know ..

Regards

tried to run the iptables command with the oif switch and it isnt recognised under the linux on the ipcop firewall ... Is there a way to get an "updated" version of the iptables command on an ipcop linux firewall ...?? or is this a limitation on the linux kernel version and not likely to have a workaround and I will have to use the "MARK" method ??

--oif will be provided by the ROUTE target. does it seem to like ROUTE but not oif? as i mentioned, the more conventional way would be to use a MARK, which is actually detailed well in my old favourite, chapter 4 at lartc.org, as well as the above.

Yes route seems fine .. but not oif ... have some other ideas after reading the link you posted that gave me a better understanding of mangle and nat routing tables .. so I think I should get somewhere .. will investigate and post my findings to close the thread ... cheers