If you only want to forward port 80, that's easy...just set up a forward for port 80 to the internal system.
On Thu, 16 Jan 2003, Gary Stainburn wrote: > On Thursday 16 Jan 2003 12:05 am, Mike Burger wrote: > > We're still stuck with the point that kernel 2.2.x doesn't do iptables. > > That doesn't matter to me, I'll just install RH7.3. My problem is that when I > started looking at IPTables (and IPChains for that matter) my brain hurt. > > Put simply, I don't want to allow any forwarding except port 80. > > Asuming my firewall has eth0 on 10.1.1.20 and eth1 on 192.168.1.1 and I want > to forward traffic for 10.1.0.34 through 192.168.1.2 which will be a Cisco > router, I guess I'll have to > > Set the default to not forwarding, thus disabling all other ports/addresses > set the forward for 10.1.0.34:80 to 102.168.1.2 > > Could someone please provide me with the two commands I'd need to run > (presumably the second would look something like: > > iptables -A PREROUTING -t nat -d 10.1.0.34:80 -j DNAT --to 192.168.1.2 > > Gary > > > > > On Wed, 15 Jan 2003, David Busby wrote: > > > For this you can tell iptables (get latest kernel) to port forward from a > > > specifc inbound IP address. > > > This avoids using eth0:1, you say (but I forget how) to take all inbound > > > packets for PUBLICIP:PORT and forward to PRIVATEIP:PORT. Look at the -m > > > and -p switches for iptables > > > > > > /B > > > > > > ----- Original Message ----- > > > From: "Mike Burger" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Wednesday, January 15, 2003 10:18 > > > Subject: Re: Forward IP from eth0:1 to real host behind eth1 > > > > > > > On Wed, 15 Jan 2003, Nick Lindsell wrote: > > > > > At 14:16 15/01/2003 +0000, you wrote: > > > > > >Hi Folks, > > > > > > > > > > > >I have a Watchguard firebox II which is based on a 2.2 kernel. With > > > > > > this > > > > > > > > >box, > > > > > >I can define IP addresses within the subnet of the public I/F and > > > > > > have > > > > > > that > > > > > > > > >traffic forwarded to a host within my DMZ. > > > > > > > > > > > >For example the public I/F of the firewall is 213.38.87.130, but I > > > > > > have configured the box so that incoming traffic for 213.38.87.132 > > > > > > gets > > > > > > forwarded > > > > > > > > >to 10.5.1.2 on the DMZ's (eth1) subnet. > > > > > > > > > > > >I would like to do a similar thing on another box running a standard > > > > > > RH installation. Has anyone got any ideas how I can do that? > > > > > > > > > > You'll need to use iptables to portforward to the internal box. > > > > > e.g. > > > > > /sbin/iptables -A PREROUTING -t nat -d $EXTERNAL_FIREWALL_IP -j > > > > > > DNAT --to > > > > > > > > $INTERNAL_SERVER_IP > > > > > > > > > > or something like that. > > > > > You could place the command in /etc/rc.d/rc.local. > > > > > > > > > > It would probably be wise to only portforward specific ports......... > > > > > > > > Two problems with the above suggestion: > > > > > > > > A) Kernel 2.2.x doesn't do netfilter/iptables > > > > > > > > B) iptables doesn't like ethx:y interfaces > > > > > > > > -- > > > > Mike Burger > > > > http://www.bubbanfriends.org > > > > > > > > Visit the Dog Pound II BBS > > > > telnet://dogpound2.citadel.org or http://dogpound2.citadel.org:2000 > > > > > > > > > > > > > > > > -- > > > > redhat-list mailing list > > > > unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe > > > > https://listman.redhat.com/mailman/listinfo/redhat-list > > -- Mike Burger http://www.bubbanfriends.org Visit the Dog Pound II BBS telnet://dogpound2.citadel.org or http://dogpound2.citadel.org:2000 -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
