[CentOS] A little iptables help

Les Mikesell lesmikesell at gmail.com
Wed Sep 28 19:34:27 UTC 2005

On Wed, 2005-09-28 at 13:09, James Pifer wrote:
> > This need to happen in the nat table:
> > 
> > iptables -t nat -A PREROUTING -p tcp -d --dport 5900 -j DNAT 
> > --to-destination
> > 
> > Make sure is using as it's router for this traffic.
> > 
> > Kirk
> I can't make use as the router. 

Other way around - the actual destination must route back through the
one that did the DNAT.

The packet has to come back through the same machine so the reverse
nat is applied to the returning packets on the connection.  Otherwise
the originating client will see packets coming back from
and not associate it with the connection it is trying to make to

> If I loaded a port forwarding application on and had it
> forward ports to .4 for port 5900 I would not have this requirement. 
> Can't iptables to the same thing somehow?

You have to source nat as well if the packets wouldn't otherwise
route back through the host doing DNAT.

> I have a java application that would do the port forwarding I need,
> EXCEPT, that application will not let me restrict by ip address. BUT,
> now that I think about it, I could run this java application to forward
> the ports and just use iptables to make that port only available to
> certain IPs. It would be accomplishing the same thing I suppose. 
> Would still rather do it with iptables since that would be one less
> point of failure. 

Note that xinetd can also proxy any tcp connection with it's 'redirect'
option, and the destination server will see the xinetd host as the
source and thus return packets without concerns about routing to the

  Les Mikesell
    lesmikesell at gmail.com

More information about the CentOS mailing list