-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Sep 28, 2005 at 02:35:39PM -0400, James Pifer wrote: > On Wed, 2005-09-28 at 11:20 -0700, Kirk Bocek wrote: > > > > James Pifer wrote: > > > > > I can't make 10.10.60.3 use 10.10.60.4 as the router. > > > > I might be wrong about needing to use 10.10.60.3 for the return traffic. The DNAT > > function on 10.10.60.3 won't change the source IP address. As long a 10.10.60.4 has a > > route to the first network, this should still work. > > > > > > > If I loaded a port forwarding application on 10.10.60.3 and had it > > > forward ports to .4 for port 5900 I would not have this requirement. > > > > > > Can't iptables to the same thing somehow? > > > > You lost me here. Iptables *is* our 'port forwarding application' on 10.10.60.3. > > The rule I wrote would accept traffic going to 10.10.60.3:5900 and send it back out > > to 10.10.60.4:5900. > > Okay, doesn't seem to be doing it. I must be doing something wrong. I'll > play with it more this evening. Hummm, it will be really complicated to do this, since you will need 2 terminating rules to be applied. So, you will need to use 2 tables for it. iptables -t nat -A PREROUTING -p tcp -s ! 10.0.0.0/8 --destination-port 5900 -j DNAT --to-destination 10.10.60.4 iptables -t nat -A POSTROUTING -p tcp -d 10.10.60.4 --destination-port 5900 -j MASQUERADE Of course, you can use -j SNAT --to-source 10.10.60.3 to get the same effect of -j MASQUERADE. I'm just lazy. Bu port forwarding application, I think he means a SOCKS{4,5} Proxy. Which is NOT a port forward application. []s - -- Rodrigo Barbosa <rodrigob at suespammers.org> "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDO0kJpdyWzQ5b5ckRArhBAJ9YHzB+YHSWYAfDlM0rN2gwcE4QKACeKM41 cqwuAhSpwQDG+e7N7xn5fVc= =jBeQ -----END PGP SIGNATURE-----