[olug] Port Address Translation

Christopher Cashell topher-olug at zyp.org
Tue Feb 16 22:19:09 UTC 2010


On Tue, Feb 16, 2010 at 1:00 PM, Aaron Keck <keckbug at gmail.com> wrote:
> I've got a small Ubuntu Server 8.04 box running here at home, and I'm
> attempting to set up Port Address Translation, but not NAT.  The goal is to
> have a connection to the box at a given port be forwarded to a different IP
> and port number, all on the same subnet.  I've done a little looking at
> iptables configurations, but can't seem to get one working.

Give the rules below a try, on the box that's in the middle.  For the
purpose of these rules, I'm assuming that the box in the middle is
192.168.1.100 and the box with the ultimate destination port you want
to reach is 192.168.1.200.  I'm also assuming that we're dealing with
a web server running on port 80.  Please adjust these values as
needed.  Also, make sure that ip forwarding is turned on (if not, try
'sysctl -w net.ipv4.ip_forward=1')

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT
--to-destination 192.168.1.200
iptables -t nat -A POSTROUTING -p tcp -m tcp --dport 80 -j SNAT
--to-source 192.168.1.100
iptables -A FORWARD -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

Then, when you make a connection to port 80 on 192.168.1.100, it will
transparently redirect that traffic to port 80 on 192.168.1.200, while
rewriting the source of the packet to be itself.  Return traffic will
be sent to 192.168.1.100, since it listed itself as the packet source,
and then forwarded back to the host that originated the request.

The above is assuming no other iptables rules.  If you have additional
rules, you may need to shuffle these or your existing rules around, or
make other alterations.

Alternately, this could be done in userspace using something like
socat, ncat, nc, or any of the other netcat clones.

> Aaron

-- 
Christopher



More information about the OLUG mailing list