2005-07-15, 03:37 PM
Ok, if your behind a router and your DMZ'd box is running linux, (AFAIK a DMZ'd box is a box that all the external tcp/udp ports are forwarded to from the router, that and icmp), and you want to forward a port from your DMZ'd box to another internal (aka private) IP, this is the tut for you.
Code:
iptables -t nat -A PREROUTING -p tcp --dport $Port-to-forward -j DNAT --to-destination $Internal-IP
iptables -t nat -A POSTROUTING -p tcp -d $Internal-IP --dport $Port-to-forward -j SNAT --to-source $DMZ-Internal-IP
iptables -P FORWARD ACCEPT
Where $Port-to-forward is the port you want forwarded, and $Internal-IP is the Internal IP you want the port forwarded to, and $DMZ-Internal-IP is the DMZ'd box's Internal IP.
#
# Explanation
#
What the first command does is when a packet is recieved it checks if the destination port is $Port-to-forward, and if it is it changes the destination IP of the packet's header from the DMZ'd IP to $Internal-IP.
So now we have a packet's destination to $Internal-IP, and a source of whatever. (So when $Internal-IP wants to send the packet back it will send it through the
gateway with the source IP of whatever, aka the *real* remote IP and the gateway will send it back to the DMZ'd box, wich is $DMZ-Internal-IP.) We're half there.
Now, first of all the text between the () will not happen if the second command is put, what the second command does is match the packet to see if the
destination is $Internal-IP and the destination port is $Port-to-forward, then it will change the *source* IP from the remote host to $DMZ-Internal-IP, so the packet comes back to the DMZ'd box so that it could re-route it.
EDIT: The last command sets the default policy of FORWARD to ACCEPT
And I think you should
Code:
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding && echo 1 > /proc/sys/net/ipv4/ip_forward
to enable forwarding.