iptables question

[nweaver]

here is what I need: I have a linux iptables machine, forwarding ports to machines inside the nat for VPN. The machines do not have a default gateway (we are testing wan application stuff, and don't want to change it trying to go to the web via this connection) on this interface.

Can I do something like this (mangle tables maybe?)

1. World client, 10.0.0.1
2. Iptables NAT box, 20.0.0.1 (Live) 30.0.0.1
3. Internal VNC server 30.0.0.2

I want the connection from 10.0.0.1 to hit the 20.0.0.1 IP, get changed so source appears to be from 30.0.0.1 to 30.0.0.2 and have it route from 30.0.0.2 back out to 10.0.0.1?


Hope this makes sense.

 

[Devistater]

You might want to try:
http://www.fwbuilder.org/
I dont know much about IPtables, but I do like the looks of that tool. It builds IPtables to your specs with a GUI. I came across it in referance to the linksys wrt54g, they had an option to do specific builds for that router. But it is normally used to setup IPtables for linux stuff. They also came out with a version that runs on windows recently too.

 

[nweaver]

I don't have a gui on that machine

 

[n0cmonkey]

Sounds like you want a proxy. There should be plenty available.

 

[Devistater]

Originally posted by: nweaver
I don't have a gui on that machine

What the fwbuilder program does is make up an iptables for you. So you can make it up on any machine and copy the appropriate files over to the machine in question.

As for if you can do that specific thing in question without requireing something outside of iptables, I'm not sure. My network knowledge isn't up to that question

 

[nweaver]

I think I might have some iptables stuff working. I did have to add the gatway, but I just don't allow access to anything but the 5900-5920 ports out or into the machine, so it can't use those ports for anything else.

I was looking for a VNC proxy (great idea!) but could only find an alpha version, and I need to have this fairly stable, or else the test execution team from India will be getting me out of bed alot

 

[Corey0808]

Why don't you try and go here and check out the networking forum. It is definitely more linux oriented.

LQ

From a high level standpoint it seems you have a routing / masquarading task here. I think there are commands to change the source if you check out:

IPTables Tutorial

This command might be the one for you, not sure though:

DNAT

Good Luck!

 

[Brazen]

It almost sounds like maybe you want to use masquerading on the traffice coming IN to the network.

 

[Devistater]

Some great sites Corey0808. Thanks!

 

[Corey0808]

No Problem!!! I just started diving into linux