Forwarding all incoming traffic on eth0 to go to eth1
What you need is Destination NAT (DNAT): A good start is this post on SU: Use port forwarding with masquerade
You don't actually need to specify a port range.
# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to ${LAN_SERVER_IP}
See netfilter documentation or this page
This page also has some information about possible caveats when reaching the server from LAN (it has to be SNAT-ed).
Related videos on Youtube
01 : 33
02 : 19
01 : 41
01 : 43
40 : 32
George
Updated on September 18, 2022Comments
-
George over 1 year
I am trying to setup my raspberry pi to sit between my router and my modem. I'm basically trying to set it up as an intercepting proxy so that all web traffic goes through the proxy.
I have the modem connected to eth0 and the router to eth1. Everything works fine now, I have my iptables setup and all web traffic goes through the proxy. What I need to make happen though, is allow all incoming traffic on eth0 to go directly to eth1. Is this possible to do with iptables or do I need to create a bridge between the 2 to make this happen.
If I need to create a bridge, how can I do that while still intercepting web traffic?
-
Cilyan about 10 yearsThere are a lot of resources on the net about NAT using iptables. For example revsys.com/writings/quicktips/nat.html And actually, securing your internet access will require that you master some other topics that can't be summed up here.
-
George about 10 years@Cilyan thanks for the link. I've come across that post before, and the setup he has is basically what I did. This is not the issue though, NAT is fine. This works fine for traffic initiated from eth1, but not the other way around. I need the outside world (eth0) to be able to connect to any arbitrary port and let the router (which is connected to eth1) decide what to do with that traffic
-
Cilyan about 10 yearsWill the routing from eth0 to eth1 target a single IP? Or do you want to do port-forwarding? NATing is done to mask the underlying network, so you won't be able to distinguish destination machines from the outside.
-
George about 10 yearsJust a single ip
-
Cilyan about 10 yearsThen you are looking for DNAT: superuser.com/questions/466925/… Interesting tips here too: lamp-dev.com/iptables-port-forwarding-with-snat-and-dnat/274 You don't need to specify a port range. netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html#ss6.2
-
George about 10 years@Cilyan that's awesome, that's exactly what I was looking for, thanks! If you put that as an answer below I'll accept it.
-
