Hi:
You are half way there.
Rule 1 is ok. However you need to change rule 2.
Rule 1 means - If a packet is received from the desired ip destined for
the external ip for telnet. DNAT it to the internal telnet server address.
However the packet is still sitting at the external interface.
Rule 2 means - if there is a packet from the desired ip to the internal
telnet
Server then forward it.
You will also need a rule to allow the internal traffic out if it isn't
already in
your script. I normally specify the interfaces in the rules as well. Try
to make
your rules as specific as possible. Set your default policy to drop first
thing.
Then open up things as required with specific rules.
I removed the ip:23 from your DNAT rule. It is ok, but is only required if
you
are actually changing the destination port. Below 1024 iptables shouldn't
change the destination port.
Stu.........
1. PREROUTING chain
iptables -A PREROUTING -p tcp -s 10.0.0.1/24 --sport 1024:65535 -d \
211.1.1.1 --dport 23 -j DNAT --to 192.168.1.2
2. FORWARD chain
iptables -A FORWARD -p tcp -s 10.0.0.1/24 --sport 1024:65535 -d 192.168.1.2
\
--dport 23 -m state --state NEW,ESTABLISHED -j ACCEPT
Which is right? or both are right?
Thanks a lot.
