I think the syntax is --dport 2090:2098. You can forward to a range of contiguous IP addresses,. But I don't think you can forward to a bunch of non contiguous IP addresses. Check the man pages. Unless you specifically tell it to, iptables shouldn't change the destination port. So if you don't specify 192.168.1.77:someport in the DNAT rule. It will forward it on the same port on the destination IP. Load balancing is another matter, you could probably try and do it in iptables with mark, tos, or something like that, but I don't think it was really intended for that. I am sure there is someone who can give you better guidance in that department than I. There is lots of good info in the man pages and the how to pages. I would suggest you print out the man pages for iptables and keep them handy.
Stu.......... -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mailing List Sent: April 24, 2002 5:20 PM To: [EMAIL PROTECTED] Cc: Ramin Alidousti Subject: Re: Forwarding some ports... On Wed, 24 Apr 2002 19:35:47 -0400 Ramin Alidousti <[EMAIL PROTECTED]> wrote: > http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html#ss6.2 > > On Wed, Apr 24, 2002 at 06:29:09PM -0400, Mailing List wrote: > > > OK, since I can't find any HOWTOS, I'm going to have to ask my question here... > > > > How can I forward some ports to one of my boxes behind > > firewall/router/gateway? > > > > (My gateway/firewall/router is 192.168.1.1 local addy) > > (My other computers behind it are 192.168.1.77 and 192.168.1.177) > > (I want to forward ports 2000-2152 from my gateway to my second box) > > > > How about a range of ports? > > > > Please explain it in simple language so I can understand. > > > > Thank you, > > > > GRE > OK, that helped SOME, but how do I specify a bunch of ports to be forwarded? This does NOT work because '--dport' doesn't accept a range of ports, but this is what I tried: iptables -t nat -A PREROUTING -p tcp --dport 2090-2098 -i eth0 -j DNAT --to 192.168.1.77 It gave me the error: invalid TCP port/service `2090-2098' specified Also, is there a way to specify more than one IP after '--to' ? (like 192.168.1.77,192.168.1.177 for 192.168.1.77 and 192.168.1.177 only ?) I'm assuming that if I don't specify the ports after '-j DNAT --to' that it will use the same port as in '--dport', is this correct? (i.e. If I specify '--dport 2090' and specify '-j DNAT --to 192.168.1.77', will it forward port 2090 on the gateway to port 2090 on 192.168.1.77 ?) Thanks for your help, GRE
