Can netfilter do this?

Ryan Hoegg rhoegg@isisnetworks.net
Thu, 21 Sep 2000 14:07:21 -0400 

To be clear, each of the internal boxes need to receive packets from the
internet that seem to be coming from the firewall itself?

If this is the case you can do it with netfilter, but you will not be able
to have more than one connection from the internet to any one of the
internal servers because the firewall will have no way of knowing to which
connection to assign packets coming back from box2:
box1-ext: 1.2.3.12 (eth0)
box1-int: 192.168.97.1 (eth1)
box2: 192.168.97.38 application-port: 4242

# iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 4242 -j DNAT --to
192.168.97.38
# iptables -t nat -I POSTROUTING -o eth1 -p tcp -d 192.168.97.38 --dport
4242 -j SNAT --to 192.168.97.1

If this is not the case, this is a fairly straightforward case of DNAT.

We have recently started a mailing list for iproute2, mail a message to
external-majordomo at corp.sgi.com with "subscribe iproute2" in the body.

However, I can't see where advanced routing can help in your situation.

John McDermott wrote:

> I've tried lots of ways to do this and upgrading to netfilter/iptables
> is the next step, but if there is no hope, I'll wait to upgrade.
>
> My scenario
>
> The Internet ----------->box1----->box2
>                           |
>                           +------->box3
>                           |
>                           +------->box4
>
> I am running software on box2-box4 that I want Internet users to be able
> to access.  The software on box2 runs on port xxx1, on box3 it runs on
> xxx2 and on box4 it runs on xxx3.  I want box 1 to receive connections
> on box1's Internet side (call it box1-I) at box1-I:xxx1 and to forward
> that packet to box2:xxx1, but *with box1's internal address as the
> source*.  This is because box2 cannot route.  I can use any ports I want
> on box1's Internet side, but the ports on boxes 2-4 are fixed.
>
> I tried 2.2's ipchains with ipportfw, but I can forward and not
> masquerade that way.  I then enabled advanced routing and found out the
> same thing.  I even tried marking the inbound packets with fwmark, and
> routing based on the mark, but that did not work either.  The advanced
> routing document (included with iproute2) tells me I can masquerade and
> NAT, but it doesn't seem to work.  I even tried setting multiple
> addresses on box1's Internet side and doing a NAT of the group with the
> advanced routing stuff, but that did not work either.
>
> Any help would be greatly appreciated.
>
> Thanks,
> --john
> --
> John McDermott, Writer and Consultant
> J-K International, Ltd.
> V +1 505/377-6293  F +1 505/377-6313
> jjm@jkintl.com

--
Ryan Hoegg, MCSE, MCP+I
Sr. Systems Engineer
ISIS Networks
rhoegg@isisnetworks.net