On Monday 27 June 2011 00:08:08 muiz wrote: > Thanks Marian, > The server only has one IP. I think I should add more iptables records, > only one NAT record is not enough,isit correct? If yes , then how? Huh, I'm sorry yes you need a second rule. So the rules are: iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to a.b.c.d:8181 iptables -t nat -A POSTROUTING -j SNAT -s local_ip/local_net --to 192.168.1.250 echo 1 > /proc/sys/net/ipv4/ip_foward The Source NAT(SNAT) rule is needed, cause otherwise the packaets that reach a.b.c.d will be comming from the ip of the local client not 192.168.1.250 and so 192.168.1.250 will never receive the replies from a.b.c.d. Since the packets reach the client directly from a.b.c.d, the client will simply disregard them and will wait for packets comming from .1.250. So the SNAT rule changes the SOURCE IP of the packets to 1.250 so a.b.c.d will return the answares to the right source. Marian > > > 2011-06-26 23:38:58,"Marian Marinov" <mm at yuhu.biz> wrote: > > >On Sunday 26 June 2011 12:53:07 muiz wrote: > >> Dear all, > >> > >> I would like to forward a port to an internet server, but failed. can > >> you > >> > >> help me? Server: eth0: 192.168.1.250, Port: 8080 TCP, CentOS 5.6 > >> Remote server: IP: a.b.c.d Port: 8181 > >> > >> > >> Forward path: client1(192.168.1.10) -> 192.168.1.250:8080 (forward) -> > >> a.b.c.d Port: 8181 ----------------------------------------- > >> In Fedora, I successfully to config the firewall using > >> system-config-firewall and iptables command: 1. Run > >> system-config-firewall > >> > >> 1.1 open local port 8080 > >> 1.2 add a forward rule: local 8080 to remote a.b.c.d:8181, tcp > >> > >> 2. echo 1 > /proc/sys/net/ipv4/ip_foward > >> 3. add a iptables rule: /sbin/iptables -t nat -A POSTROUTING -d a.b.c.d > >> -p tcp --dport 8181 -j MASQUERADE That's all. > >> > >> > >> > >> > >> Thanks ! > > > >You have to use Destination NAT for the job: > > > >iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8080 --to > >a.b.c.d:8181 echo 1 > /proc/sys/net/ipv4/ip_foward > > > >If you have more then one IPs on the local machine its a good idea to > >specify the destination -d 192.168.1.250 > > > >Marian > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos -- Best regards, Marian Marinov -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: <http://lists.centos.org/pipermail/centos/attachments/20110627/cc7c1e7d/attachment-0004.sig>