[ale] NAT And traffic redirection

Jerry Yu jjj863 at gmail.com
Fri Dec 8 21:22:54 EST 2006 

   - it should be a simple DNAT using iptables.
   - as for the port 443, you can use arbitrary port # (say client
   requests https://windows.server:8443), and ask DNAT to direct such
   traffic to windows.server:443
   - short of which, you can create an aliased interface on the Linux
   server (eth0:1), direct https traffic to this aliased IP to the real backend
   server
   - On the windows server (the DNAT destination), you'll need to force
   the response traffic to go through the Linux server (router/NAT) by adding a
   static host/network route. Otherwise, the response traffic will go to its
   own default route.
   - arp is a different story all together, I believe.


On 12/8/06, Christopher Fowler <cfowler at outpostsentinel.com> wrote:
>
> I'm trying to use SNAT in combination with DNAT
>
> Based on this document:
>
> http://linux-ip.net/html/nat-dnat.html
>
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> DNAT       all  --  anywhere             192.168.1.117
> to:192.168.9.5
>
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> SNAT       all  --  anywhere             anywhere
> to:192.168.9.254
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
>
> MY eth0 network is 192.168.1.0 and eth1 192.168.9.0.  On my 192.168.1.0
> subnet should a ping to 192.168.1.117 not be forwarded to 192.168.9.5?
>
>
> On the gateway (my desktop) eth0 is 192.168.1.115 and eth1 is
> 192.168.9.254.  I want to ping 192.168.9.5 from the 192.168.1.0 subnet
> without adding a host based route of 192.168.9.5 -> 192.168.1.115 on my
> firewall.  As I read that document I assume that my desktop
> (192.168.1.115) will answer arp requests on behalf of 192.168.1.117 and
> forward packets via DNAT to 192.168.9.5.  tcpdump shows me that no one
> is answering arp requests for 192.168.1.117
>
>
> On Thu, 2006-12-07 at 12:36 -0500, Christopher Fowler wrote:
> > Another problem I have is that the Window server is running https on 443
> > as well as my Linux device.  So I can't nat 443 to that server because
> > then I can't get to the device.  I also can't change the port to 444
> > because this darn web interface on windows does redirects with an
> > absolute URL thus removing :444 from what I typed in my browser and
> > sending me back to my device.
> >
> > This is why this virtual address things keeps coming back into my head.
> >
> > On Thu, 2006-12-07 at 12:21 -0500, Christopher Fowler wrote:
> > > On Thu, 2006-12-07 at 11:57 -0500, Robert L. Harris wrote:
> > > > $IPTABLES -A Allow -p tcp --source aaa.bbb.ccc.0/24 --dport 9000 -j
> > > > ACCEPT
> > > > $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 9000 -j DNAT
> > > > --to 192.168.7.8:9000
> > >
> >
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the Ale mailing list