Hi guys, excuse my noob query - but can you advise me here. For what reason does one want to foreward packets from one port to another port? Also, does the other port have to be on another IP adress or does it not matter? Is all this for IP spoofing or security? Please advise. I have pretty sound IP/Network/Server experience so let it rip if required. Thanks in advance.. --------------------------------------------- Jonathan Hughes Technical Support Specialist Goodyear South Africa --------------------------------------------- MCSD / MCP Registered Linux User # 362669 ============================================================================== Skill is successfully walking a tightrope over Niagara Falls. Intelligence is not trying. -Anonymous ==============================================================================
On Wednesday 25 August 2004 10:41 pm, jonathan_hughes@goodyear.co.za wrote:
Hi guys,
excuse my noob query - but can you advise me here. For what reason does one want to foreward packets from one port to another port?
You have 10 machines behind your Linux box which is your router. You want to access each of them via VNC from some remote site. So you open ports 5900, 5901, 5902 ... etc and route each to a separate machine of the 10 machines, but in the routing you change the port back to 5900 because thats the normal port for VNC and you don't have to set each workstation up with non-standard ports. That's just one example. Side note: Are you sure you wouldn't be happier with Shorewall? It makes configuring iptables dirt easy. -- _____________________________________ John Andersen
jonathan_hughes wrote regarding 'Re: [SLE] iptables driving me mental - New question' on Thu, Aug 26 at 01:46:
Hi guys,
excuse my noob query - but can you advise me here. For what reason does one want to foreward packets from one port to another port? Also, does the other port have to be on another IP adress or does it not matter? Is all this for IP spoofing or security? Please advise. I have pretty sound IP/Network/Server experience so let it rip if required.
Thanks in advance..
They can be on the same IP. Say, for example, you're finally migrating from Apache 1.3 to 2.0. You set up the 2.0 server to listen on port 8080 and test it. All seems to be going well. To finally test, you set iptables to redirect incoming requests on port 80 to port 8080 on the same IP. If no one calls tech support to complain, then you just change the listen directive, shut down the old one, and apachectl restart. If someone does call to complain, you just drop the iptables rule and say "it's working fine for me. Are you *sure*? Try it again". Your users slowly go insane, that way, and you have a chance to fix the problem without having to keep switching which server version is running. Perhaps you want to migrate some services from one machine to a new one. After you move your CVS files to the new CVS server, you start up the new server and forward port 2401 to the new machine. That way, people can still use "devel" as the hostname, even though the service is actually running on "devel-temp". After you move the development web server and the MySQL server over to "devel-temp", you just change the DNS entry for "devel", wait for DNS to propogate, and take the old "devel" machine offline without anyone ever noticing that they migrated to a new machine. Or you add a LOG rule to "devel" and watch the system logs for a few weeks. Every time something connects to "devel", yo go to that machine and update the configuration to point to "devel-temp". After a few weeks, nothing is connecting through the old hostname and you get rid of the rules, knowing that all hosts are migrated to the new machine now. Etc, etc. :) --Danny, wondering where the "tire discount for SuSE-e members" is located ;)
participants (3)
-
Danny Sauer -
John Andersen -
jonathan_hughes@goodyear.co.za