Can anyone tell me how to do this?

Jason Opperisano opie at 817west.com
Thu Sep 23 19:48:08 CEST 2004


On Thu, 2004-09-23 at 13:28, Dominic Iadicicco wrote:
> it didn't work
>  
> 
>   Thank you for the input though. 
> 
> 
> Dom

hmmm...i never got Samuel's response...

a good learning exercise for you would be to figure out why it doesn't
work...

> --- Samuel Daz Garca (ArcosCom)
> <samueldg at arcoscom.com> wrote:

[ snip]

> > $> iptables -t filter -A INPUT -i eth1 -d 10.0.0.1
> > -m tcp -p tcp --dport
> > 22 -j ACCEPT

this allows connections to pass an INPUT filter rule with destination IP
10.0.0.1 and destination port 22 (TCP).

that wasn't really what you were asking for, but may be of some use to
you in another situation...

> > $> iptables -t nat -A PREROUTING -i eth1 -d 10.0.0.1
> > -m tcp -p tcp --dport
> > 22 -j DNAT --to-destination 172.16.12.130:22

think about what the word PREROUTING means.  it means that before this
linux host every makes any layer 3 decision about this packet at
all--we're going to modify it.  once this rule is applied--the linux
host will never ever see a packet that has a destination IP of 10.0.0.1
in the context of this connection.  the destination IP is
172.16.12.130.  as such, any filter rules applied later in the stack
will have to accommodate 172.16.12.130, not 10.0.0.1.

if you're using this as a learning experience (and i hope this is on a
test machine); i recommend LOG-ing everything you can, break things at
will, figure out why they broke, and how to fix them.

and i never get tired of pimping this:

http://iptables-tutorial.frozentux.net/iptables-tutorial.html

HTH...

-j

-- 
Jason Opperisano <opie at 817west.com>




More information about the netfilter mailing list