[ale] NAT And traffic redirection

[Christopher Fowler]

On Thu, 2006-12-07 at 11:57 -0500, Robert L. Harris wrote:
> $IPTABLES -A Allow -p tcp --source aaa.bbb.ccc.0/24 --dport 9000 -j
> ACCEPT
> $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 9000 -j DNAT
> --to 192.168.7.8:9000

To me this looks like regular NAT.  I'm doing this on my firewall now.
The problem I have is that these windows services sometimes use multiple
TCP ports to communicate.  The client contacts the service and the
service _randomly_ picks a port and sends that back to the client.  The
client then closes that port and connects on the newly assigned port.  I
do not know if 9000 will be used like in your example.

What I tried was this:

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 0 -d 192.168.1.116 -j
DNAT --to 192.168.9.5
/sbin/iptables -t nat -A PREROUTING -p udp --dport 0 -d 192.168.1.116 -j
DNAT --to 192.168.9.5


I basically was telling the kernel that any TCP or UDP going to
192.168.1.116 should be sent to 192.168.9.5 on the same port.  I know it
don't work so I think I've told the kernel to wrong thing to do.

I've also configured an alias of 192.168.1.116 on eth0:1.  I figured
this way I could map that virtual address to the real machine using
those rules. 

I wanted to do this without adding routes on 192.168.7.8 or any client
machines.  The Linux device is VPN'd to 10.200.10.10 and that machine is
using proxy arp to answer on behalf of that Linux box that is located at
another location.  So I do not think that 10.200.10.10 would
automatically know to also answer for the alias address assigned to
ppp0:1

I'm trying the alias address route because I want to "virtually" assign
192.168.7.8 and address on my subnet and have all traffic to that
address natted to 192.168.7.8.  I can't control what services will be
accessed so I want _all_ traffic routed between me and that end.