-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ,--[ On Mon, Oct 22, 2007 at 09:14:02PM +0530, Jasbir Khehra wrote: | On 10/22/07, आशीष शुक्ल Ashish Shukla <[EMAIL PROTECTED]> wrote:
[...] | > I used to connect to internet by PPPoE dialing to my ISP from my box | > (172.16.0.3). I wanted to DNAT TCP packets coming from external world | > on "9053" TCP port of "ppp0" interface (which gets created a result of | > PPPoE dialing) to the my machine's ethernet interface (eth0)'s TCP port | > "1203". | > | > The network service which I wanted to expose is listening on 172.16.0.3:1203 . | > | Its not clear so I am assuming here that the service and the internet | connection are on the same machine. I think I mentioned that my box is at 172.16.0.3 and service is listening on 172.16.0.3:1203 :) . | > For that I've created following iptables rules: | > | > iptables -t filter -A INPUT -i ppp0 -p tcp -m state --state NEW --dport 9053 -j EPT | > iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 9053 -j DNAT --to-destination 172.16.0.3:1203 | > iptables -t filter -A FORWARD -d 172.16.0.3 -p tcp --dport 1203 -j ACCEPT | > | The packets will hit the PREROUTING chain first and the dst port will | be modified therefore in your INPUT chain rule you give port 1203. | Also there is no need to use state module , because you need to open | this port for NEW as well as ESTABLISHED packets. | iptables -t filter -A INPUT -i ppp0 -p tcp --dport 1203 -j ACCEPT Thanks for above explaination. I figured out, that I'm not accepting the new DNATted connection in INPUT chain. So I need to remove that "-t filter -A FORWARD" rule, and change it to "-t filter -A NAT", as packets will reach FORWARD chain only when packets are destined for this host. :) Thanks Ashish Shukla - -- Ashish Shukla "Wah Java !!" आशीष शुक्ल weblog: http://wahjava.wordpress.com/ ,= ,-_-. =. | DRMs are often designed by ambitious, well-funded consortia, | ((_/)o o(\_)) | with top-notch engineers from every corner of the industry. | `-'(. .)`-' | They spend millions. They take years. They are defeated in | \_/ | days, for pennies, by hobbyists. - Cory Doctorow | The best optimizer is between your ears. - Michael Abrash -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHHMzoHy+EEHYuXnQRAga5AKCmBkLqvXNRSaNAPzhqWGHypVcVLACfcld8 JA4uS+VlPTjEE+XuoDMHuUQ= =6IeV -----END PGP SIGNATURE----- _______________________________________________ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Next Event: http://freed.in - September 28-29, 2007 Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
