From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on sa.int.altlinux.org X-Spam-Level: X-Spam-Status: No, score=-2.3 required=5.0 tests=BAYES_00 autolearn=ham version=3.2.3 Message-ID: <482017E5.40006@rambler.ru> Date: Tue, 06 May 2008 11:33:41 +0300 From: =?UTF-8?B?0JTQtdC90LjRgSDQr9Cz0L7RhNCw0YDQvtCy?= User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: ALT Linux sysadmin discuss References: <48200ADA.2010801@rambler.ru> <685314b70805060040u2682a682qed61f8d6927bfd8@mail.gmail.com> <48201052.30308@rambler.ru> <482011D8.1050700@mmascience.ru> In-Reply-To: <482011D8.1050700@mmascience.ru> Content-Type: multipart/mixed; boundary="------------050407030509080509080108" Subject: Re: [Sysadmins] =?utf-8?b?0J/RgNCw0LLQuNC70LAg0L3QsCBpcHRhYmxlcyA=?= =?utf-8?b?0LTQu9GPINC30LDQstC+0YDQsNGH0LjQstCw0L3QuNGPIGh0dHAt0YLRgNCw?= =?utf-8?b?0YTQuNC60LAg0L3QsCDQv9GA0L7QutGB0Lg=?= X-BeenThere: sysadmins@lists.altlinux.org X-Mailman-Version: 2.1.10b3 Precedence: list Reply-To: ALT Linux sysadmin discuss List-Id: ALT Linux sysadmin discuss List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2008 08:33:50 -0000 Archived-At: List-Archive: This is a multi-part message in MIME format. --------------050407030509080509080108 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Владимир пишет: > Денис Ягофаров пишет: >> хм... >> # iptables -t nat -A PREROUTING -i 192.168.0.0/16 -p tcp --dport 21 >> -j SNAT --to 10.3.0.5:3128 >> iptables: Invalid argument >> > > Все правильно, если SNAT, то цепочка POSTROUTING Прописали.... #iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 80 -j SNAT --to 10.3.0.5:3128 Пробуем полазать по гуглу. В теории 10.3.0.5 должен про него спрашивать _не_ мой хост: # tcpdump -i veth1 src host 192.168.1.1 or src host 10.3.0.2 or dst host 192.168.1.1 or dst host 10.3.0.2 А вот на исходящем интерфейсе роутера: # tcpdump -i eth1 src host 192.168.1.111 and dst port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 13:32:43.255632 IP 192.168.1.111.4777 > fk-in-f99.google.com.http: S 3757065542:3757065542(0) win 65535 13:32:43.306224 IP 192.168.1.111.4777 > fk-in-f99.google.com.http: . ack 1970806748 win 65535 13:32:43.306724 IP 192.168.1.111.4777 > fk-in-f99.google.com.http: P 0:750(750) ack 1 win 65535 13:32:43.390926 IP 192.168.1.111.4777 > fk-in-f99.google.com.http: . ack 3094 win 65535 Увы, пакеты в цепочку не попадают :( # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination # iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT tcp -- anywhere anywhere tcp dpt:http to:10.3.0.5:3128 SNAT tcp -- anywhere anywhere tcp dpt:ftp to:10.3.0.5:3128 Chain OUTPUT (policy ACCEPT) target prot opt source destination --------------050407030509080509080108 Content-Type: text/x-vcard; charset=utf-8; name="denyago.vcf" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="denyago.vcf" YmVnaW46dmNhcmQNCmZuOkRlbmlzIFRpbXVyb3ZpY2ggWWFnb2Zhcm92DQpuOllhZ29mYXJv djtEZW5pcyBUaW11cm92aWNoDQpvcmc6SVRHSVMgTkFTVQ0KYWRyOnJvb20gNjE1OztDaG9r b2xvdnNraSBzcXIuLCAxMztLaWV2OzswMzE1MTtVa3JhaW5lDQplbWFpbDtpbnRlcm5ldDpk ZW55YWdvQHJhbWJsZXIucnUNCnRpdGxlOnN5c3RlbSBhZG1pbmlzdHJhdG9yDQp0ZWw7d29y azo4MDQ0MjQ4MDc1NQ0KeC1tb3ppbGxhLWh0bWw6RkFMU0UNCnZlcnNpb246Mi4xDQplbmQ6 dmNhcmQNCg0K --------------050407030509080509080108--