From mboxrd@z Thu Jan 1 00:00:00 1970 From: rgr@sdf.lonestar.org (Rob Ristroph) To: 9fans@cse.psu.edu Subject: Re: [9fans] NAT'ing a drawterm connection References: In-Reply-To: Message-ID: <87ad9ypbbv.fsf@rgristroph-austin.ath.cx> User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.4 (Common Lisp) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 25 Aug 2003 00:15:16 -0500 Topicbox-Message-UUID: 205fe390-eacc-11e9-9e20-41e7f4b1d025 >>>>> "andrey" == andrey mirtchovski writes: andrey> andrey> your bug is that you need to change the --dport appropriately for each andrey> different port: andrey> andrey> 1018 iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 564 -j DNAT --to-destination 192.168.1.3 andrey> 1019 iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 17008 -j DNAT --to-destination 192.168.1.3 andrey> 1020 iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 17010 -j DNAT --to-destination 192.168.1.3 andrey> 1021 iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 17013 -j DNAT --to-destination 192.168.1.3 andrey> andrey> i believe only 564 i 17008 are important, but i can't connect right now to andrey> give you netstat... andrey> andrey> andrey andrey> andrey> On 24 Aug 2003, Rob Ristroph wrote: andrey> >> # Port forwarding to try to make drawterm to Plan 9 machine work >> /sbin/iptables -t nat -A PREROUTING -p tcp --dport 567 -i eth0 -j DNAT --to 192.168.1.18:567 >> /sbin/iptables -t nat -A PREROUTING -p tcp --dport 567 -i eth0 -j DNAT --to 192.168.1.18:17007 >> /sbin/iptables -t nat -A PREROUTING -p tcp --dport 567 -i eth0 -j DNAT --to 192.168.1.18:17008 >> That's definitely a bug. However, I suspect the 17xxx lines should not be there at all. Instead: /sbin/iptables -t nat -A PREROUTING -p tcp --dport 567 -i eth0 -j DNAT --to 192.168.1.18:567 /sbin/iptables -A FORWARD -m state --state RELATED -j ACCEPT But this may require a special connection tracking module in the linux netfilters package that would know that the 17xxx connection was "related" to the forwarded 567 connection and route it accordingly. I have no idea if those are the right options on the second line there, I just cut-and-pasted it from a post about getting one of the online games to work through a NAT. Are those 17xxx connections extablished from drawterm to the cpu/auth server, or from the Plan 9 computer to drawterm ? Perhaps I can find out by running snoopy . . . --Rob