dnat

Translate destination address for connections specifed by filter.

Syntax

dnat help | [action ACTION] [CHAIN] [FILTER] to-addr NEW_DESTINATION

ACTION := insert | append | delete

Change the default action defined in the file /etc/flex-fw/vars/base/action (usually append)


CHAIN := output | prerouting | chain IPTABLES_CHAIN

Iptables chain for adding new rules.

Default: prerouting


FILTER := [FROM] [TO] [proto PROTO]


NEW_DESTINATION := [IPADDR[-IPADDR]][:PORT_NUMBER[-PORT_NUMBER]]

IPv4 address or IPv4 address and port


FROM := { [in-if IFACE] [src IPADDR] } | from ZONE

Source part of filter.


TO := dst IPADDR]

Destination part of filter (only IP address allowed, no interface).


PROTO := any | { tcp [SOURCE_PORT] [DESTINATION_PORT] } | { udp [SOURCE_PORT] [DESTINATION_PORT] } | PROTO_NUMBER

Network protocol and some rlated info.


IFACE := any | INTERFACE_NAME

Network interface name. any is a synonym for +.


IPADDR := any | IPv4_ADDRESS

IPv4 host or network address. For example: 192.168.0.12, 192.168.0.0/16. any is a synonym for 0.0.0.0/0.


ZONE := name of zone described in the file /etc/flex-fw/zones/zonename

The zonename file contains lines with interface name and IPv4 address per each line and divided by spaces. Look to zones for details.


SOURCE_PORT := sport PORT | sports PORT,PORT,...

Source port(s) for TCP or UDP protocol.


DESTINATION_PORT := dport PORT | dports PORT,PORT,...

Destination port(s) for TCP or UDP protocol.


PORT := any | priv | unpriv | PORT_NUMBER | PORT_NUMBER:PORT_NUMBER

Port of TCP or UDP protocol. any is equal 0:65535. priv is equal 0:1023. unpriv is equal 1024:65535.


PROTO_NUMBER := the numeric value specified in /etc/protocols.

Examples

Redirect incoming ICMP and HTTP/HTTPS connections to a Web-server placed in DMZ

dnat to-addr $ipDmzServer dst $ipWan
allow forward from zoneInternet dst $ipDmzServer proto icmp
allow forward from zoneInternet dst $ipDmzServer proto tcp sport unpriv dport http
allow forward from zoneInternet dst $ipDmzServer proto tcp sport unpriv dport https

Redirect port 1022 to another host, port 22

dnat to-addr $ipAnotherHost:22 dst $ipOneHost proto tcp dport 1022
allow forward src any dst $ipAnotherHost proto tcp dport 22

Copyright (C) 2014 Vitalii Druzhinin
aka VitalShell