From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on finch.gentoo.org X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=DATE_IN_PAST_06_12, DMARC_MISSING,INVALID_DATE,MAILING_LIST_MULTI,NICE_REPLY_A, RDNS_DYNAMIC autolearn=unavailable autolearn_force=no version=4.0.0 Received: from afontenayssb-101-2-2-48.abo.wanadoo.fr ([193.252.175.48] helo=djamil.tgv.net) by cvs.gentoo.org with smtp (Exim 3.30 #1) id 15oMXK-0004Lf-00 for gentoo-dev@cvs.gentoo.org; Tue, 02 Oct 2001 04:12:26 -0600 Received: (qmail 483 invoked by uid 0); 2 Oct 2001 10:21:44 -0000 Received: from localhost (HELO djamil) (127.0.0.1) by localhost with SMTP; 2 Oct 2001 10:21:44 -0000 From: Djamil ESSAISSI To: gentoo-dev@cvs.gentoo.org Subject: Re: [gentoo-dev] NAT iptables info Message-Id: <20011002122143.64aa2434.djamil@francexpress.com> In-Reply-To: <3BB8D91C.C52CDE0C@gentoo.org> References: <3BB8D91C.C52CDE0C@gentoo.org> Organization: Francexpress X-Mailer: Sylpheed version 0.6.2 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: gentoo-dev-admin@cvs.gentoo.org Errors-To: gentoo-dev-admin@cvs.gentoo.org X-BeenThere: gentoo-dev@cvs.gentoo.org X-Mailman-Version: 2.0 Precedence: bulk Reply-To: gentoo-dev@cvs.gentoo.org List-Help: List-Post: List-Subscribe: , List-Id: Gentoo Linux development list List-Unsubscribe: , List-Archive: Date: Tue Oct 2 04:13:01 2001 X-Original-Date: Tue, 2 Oct 2001 12:21:43 +0200 X-Archives-Salt: 2b6300a1-648d-4da4-8357-8348418ae141 X-Archives-Hash: 91339fe31d6ab4651f99ee6b45359ec7 I fortunatly know what u mean, so i give you as an example my little farm at home ...: first you have to know: eth0 is hookedup to the DSLmodem eth1 is hookedup to the LAN ppp0 is the outside link (can be DSL , DIAL UP or even a VPN!) adsl-start < the stuff of rp-dsl that comes with gentoo... #Open tha door route add -net 0.0.0.0 gw 62.4.19.XXX < the IP on the PPP connection in my case it is static ;). #Open sesame ! iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE < masquerade the bludy LAN thru ppp0 iptables -A FORWARD -i eth1 -j ACCEPT < and do me some forwarding too coming from eth1 [remember eth1 is the LAN side] #Get me FTP iptables -t nat -A PREROUTING -p tcp -d 62.4.19.XXX/32 --dport 21 -j DNAT --to 192.168.0.2:21 <<< this is how i use a PIII500/512M as a web iptables -t nat -A PREROUTING -p tcp -d 62.4.19.XXX/32 --dport 20 -j DNAT --to 192.168.0.2:20 <<< ftp server behinde a good old p100 . #Get me HTTP/S iptables -t nat -A PREROUTING -p tcp -d 62.4.19.XXX/32 --dport 80 -j DNAT --to 192.168.0.2:80 <<< iptables -t nat -A PREROUTING -p tcp -d 62.4.19.XXX/32 --dport 443 -j DNAT --to 192.168.0.2:443 <<< #get me ssh iptables -t nat -A PREROUTING -p tcp -d 62.4.19.XXX/32 --dport 24 -j DNAT --to 192.168.0.2:22 <<< or even use another port to open aonther ssh on the inside machine. NOTE: there is no firewalling involved here !!! this makes it work only --- it doesnt protect any machine for example: if you got SUB7 on a win98 machine the Lame can get to you machine: but this set up is sweet when i run CS/HL server on an inside machine ...hard to beleive ! it WORKS ! BUT you still can protect it but blocking ports/ips ... good luck and be carefull. NOTE also that this runs on gentoo so maybe i passed over some steps as they may have been already setup by default ... grutz. Djamil-