[CentOS] A little iptables help

Wed Sep 28 15:56:56 UTC 2005
Rodrigo Barbosa <rodrigob at suespammers.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Sep 28, 2005 at 11:37:41AM -0400, James Pifer wrote:
> On Wed, 2005-09-28 at 12:11 -0300, Rodrigo Barbosa wrote:
> > > allow: port 80
> > > allow: forward port 8000 for x.x.x.x to y.y.y.y
> > 
> > Forward port 8000 to several hosts might be difficult using only iptables.
> > You might want to take a look at LVS (Linux Virtual Server) for that,
> > on http://www.linuxvirtualserver.org/
> 
> No, I need to forward several machines through a specific port to a
> single machine. Not "forward 8000 to several hosts". 
> 
> Still looking over the other responses.

Humm, that should be relatively simple:

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --destination-port 8000 -j DNAT --to-destination ${DESTINATION_SERVER}

iptables -A FORWARD -p tcp --destination-port 8000 -d ${DESTINATION_SERVER} -s ${SOURCE1} -j ACCEPT
iptables -A FORWARD -p tcp --destination-port 8000 -d ${DESTINATION_SERVER} -s ${SOURCE2} -j ACCEPT
iptables -A FORWARD -p tcp --destination-port 8000 -d ${DESTINATION_SERVER} -s ${SOURCE3} -j ACCEPT
iptables -A FORWARD -p tcp --destination-port 8000 -d ${DESTINATION_SERVER} -s ${SOURCE4} -j ACCEPT
iptables -A FORWARD -p tcp --destination-port 8000 -d ${DESTINATION_SERVER} -j REJECT --reject-with tcp-reset


SOURCEX can be either a single IP address, or a network/netmask pair.

[]s

- -- 
Rodrigo Barbosa <rodrigob at suespammers.org>
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDOr1HpdyWzQ5b5ckRAqJAAJ99nLSPq8hOkTrZyWJAOY5N/SQRVwCaA9Cr
5nxgHn9CunpeNHVblDw/rNk=
=YotM
-----END PGP SIGNATURE-----