[ale] NAT And traffic redirection

Robert L. Harris Robert.L.Harris at rdlg.net
Thu Dec 7 11:57:53 EST 2006


  You're on the right track I would say.  I've made a number of services
available to public subnets which actually run on machines behind my NAT.
My firewall has a public IP, 10.0.5.2 in your case.  I then use the firewall
rules:

$IPTABLES -A Allow -p tcp --source aaa.bbb.ccc.0/24 --dport 9000 -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 9000 -j DNAT --to 192.168.7.8:9000

This allows all traffic hitting the firewall on port 9000 to hit the machine in
the background.  Since it is a windows machine I don't think I'd forward all
traffic to it, I would do a service by service forwarding...

Robert





Thus spake Christopher Fowler (cfowler at outpostsentinel.com):

> I have a Linux server at a remote location that is VPN'ed into our
> network.  Inside the VPN I've assigned it address 10.0.5.2.  I want to
> be able to access a Windows server at 192.168.7.8 that is behind that
> machine from my desktop here at home.  Is there a way I can tell that
> Linux server to send all TCP/UDP traffic that is destined to 10.0.5.3 to
> that Windows box at 192.168.7.8.  That windows box would then see
> traffic as if it was coming from 192.168.7.2 which is the ethernet
> address of that Linux server.
> 
> In this case I need to access services on that windoze machine with
> clients on my desktop but routing to 192.168.7.0 is not possible.
> Someone told me I could assign another address to that Linux server and
> that could be the virtual address for NAT for that windows machine.
> 
> Chris
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

:wq!
---------------------------------------------------------------------------
Robert L. Harris                     | GPG Key ID: E344DA3B
                                         @ x-hkp://pgp.mit.edu
DISCLAIMER:
      These are MY OPINIONS             With Dreams To Be A King,
       ALONE.  I speak for              First One Should Be A Man
       no-one else.                       - Manowar

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature




More information about the Ale mailing list