Redirecting packet from incoming external interface to a different external machine.

Grant Taylor gtaylor at
Wed Aug 17 07:03:10 CEST 2005

iptables -t nat -A PREROUTING -i ${ExternalInterface} -d ${ExternalInterfaceIP} -p tcp --dport 21 -j DNAT --to-destination ${DestinationServerIP}:3805
iptables -t nat -A POSTROUTING -o ${ExternalInterface} -d ${DestinationServerIP} -j SNAT --to-source ${ExternalInterfaceIP}
iptables -t filter -A FORWARD -i ${ExternalInterface} -o ${ExternalInterface} -d ${DestinationServerIP} -j ACCEPT
iptables -t filter -A FORWARD -i ${ExternalInterface} -o ${ExternalInterface} -s ${DestinationServerIP} -j ACCEPT

These rules should do exactly what you are wanting.  However I'm betting that because you are talking about port 21 there is a chance that you are dealing with FTP.  If that is indeed the case you will need to be careful what you do with the other ports that FTP opens as they may not pass through the system the same way.

Grant. . . .

Jeffrey Carter wrote:
> Here is what I'm looking to do (And please tell me if I'm crazy as I've
> been beating my head on this for a week)
> I'm looking to take a packet that is incoming on my machine, on port 21
> and redirect it to port 3805 on a completely different external machine.
> Basically, I'm trying to solve how to make the machine a transparent
> proxy on the same external interface.  The packets coming in on port 21
> can be coming from anywhere on the internet, and will be sent to port
> 3805 on the remote machine, which then should come back through my box
> and back to the clients.
> Any ideas on using iptables for this?  I dusted off redir and while it
> worked it had its occasional issues so I'm trying to bring a better
> hammer to beat on the nail.

More information about the netfilter mailing list