[plug] Multiple WAN IP's routed down DSL line
Leon Brooks
leon at cyberknights.com.au
Wed Jul 6 11:16:24 WST 2005
On Wednesday 06 July 2005 09:56, Shannon Carver wrote:
> Now, to apply this new IP range, (xxx.xxx.66.104/29), I've gone a bit
> out of my depth of understanding.
Use iptables and -j DNAT to forward just the traffic you need to those
servers on internal IP addresses:
iptables -t nat -A PREROUTING -p tcp -d $EXTERNALIP \
--dport $PORTNUM -j DNAT --to $INTERNALIP
So to direct DNS traffic for xxx.xxx.66.105 to your internal server to
which you've assigned the address 172.17.2.172 you would do:
iptables -t nat -A PREROUTING -p tcp -d xxx.xxx.66.105 \
--dport 53 -j DNAT --to 172.17.2.172
iptables -t nat -A PREROUTING -p udp -d xxx.xxx.66.105 \
--dport 53 -j DNAT --to 172.17.2.172
This has the added advantage of automatically "firewalling" any ports on
the target server which were unintentionally left open, and dropping
any unwanted traffic at the firewall rather than sending it across the
LAN for the target server to drop.
For web traffic, you would use -p tcp and --dport 80 for standard web
and --dport 443 for HTTPS.
I also use this technique for making SSH/RDP/VNC to internal machines
available on odd ports (and usually from a restricted address range). I
melted a customer's brain one day by having VNC to the same address
(and port) hit different internal machines depending on where it was
coming from.
Cheers; Leon
--
http://cyberknights.com.au/ Modern tools; traditional dedication
http://plug.linux.org.au/ Member, Perth Linux User Group
http://slpwa.asn.au/ Member, Linux Professionals WA
http://osia.net.au/ Member, Open Source Industry Australia
http://linux.org.au/ Member, Linux Australia
More information about the plug
mailing list