Sunday, June 25, 2006

Making port forwarded connections accessible from the intranet LAN

# Enabling many:one IP masquerading from the LAN to the Internet (i.e. out the $WAN interface)
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

# port forwarding $WAN_IP:25 to $SMTP_SVR_IP:25
iptables -t nat -A POSTROUTING -d $WAN_IP -p tcp --dport 25 -j DNAT --to $SMTP_SVR_IP
iptables -A FORWARD -i $WAN -p tcp --dport 25 -d $SMTP_SVR_IP -j ACCEPT

# Making this cruft work from the intranet
# i.e. DESK_IP -> WAN_IP:25

# Bad rule:
iptables -t nat -A POSTROUTING -o $LAN -j SNAT --to-source $WAN_IP

# Good rule:
iptables -t nat -A POSTROUTING -o $LAN -s 192.168.1.0/24 -j SNAT --to-source $WAN_IP


No comments:

Post a Comment