are you _really_ sure ?
can't we have dnat with ebtables, too ?
i found http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html#section4 and that looks exactly like that, what i need (can
what i want is redirecting a dedicated tcp port to a private ip on the host, and all i have is 4 UML ips which are connected via
tun/tap bridge to the outside world.
so i think of "stealing" _one_ tcp port of _one_ uml to have a connection to the HOST, which has no public ip. the packet arrives,
ebtables inspects it, sees the destination ip/port and decides to rewrite the destination adress/port.
sounds plausible to me - and elegant, too.
i think i don't give up before one more person tells me, that won't work.
thanks for the long answer/explanation so far!
----- Original Message -----
From: "BlaisorBlade" <blaisorblade_spam@...>
To: "roland" <for_spam@...>; "uml-user" <user-mode-linux-user@...>
Sent: Monday, June 21, 2004 9:07 PM
Subject: Re: [uml-user] ebtables/bridge-nf & uml
> Alle 23:20, domenica 20 giugno 2004, roland ha scritto:
> > hi!
> > can bridge-nf/ebtables be used to forward/redirect a dedicated tcp port to
> > a private ip/port on the host ? i.e. all traffic would go to the 4 assigned
> > uml ip's and i would just "abuse" port 22222 (or whatever) of umlX to be
> > redirected (at kernel level, no matter if the uml's are up or down) to
> > 10.0.0.1 , tcp port 22, which is the ssh daemon listening on the host
> > interface....
> > any hint?
> Well, use iptables and the DNAT/SNAT targets on the host (which means being
> root or asking to the provider). They exist exactly for this (using
> --to-port). Ebtables can't help you *for this* because it works on a lower
> level (i.e. ebtables speaks about MACs, not IPs; there are maybe some little
> exceptions, but the general rule is the one I said).
> But, if you want to setup some public IP's on the guest and (I guess) a
> private IP on the host, then you'll need a lot of work with
> I-don't-know-what-hell-of-stuff, since the Uml could reach the host easily,
> but the host would maybe not be known to his gateways (your provider would
> probably refuse to setup them for this strange host). You could, more easily,
> give one UML a private IP, to the host his public IP, and say on the host:
> #For not TCP, it goes to UML
> iptables -t nat -A PREROUTING -d $Hostip ! -p tcp -j DNAT --to $UML_privateIP
> #For TCP but port != 22222, it goes to UML
> iptables -t nat -A PREROUTING -d $Hostip -p tcp ! --dport 22222 -j DNAT --to
> Then you're done. This UML will be on a private IP but it will appear as if
> it's on his host IP. Maybe you also want to remove and add these rules when
> UML is shutdown or started... you'll probably move them on a user-defined
> chains, and remove/add the call to this chain (the call must be done only for
> that IP, and then it's moved out of the two rules; this could maybe also
> improve filtering performances).
> Paolo Giarrusso, aka Blaisorblade
> Linux registered user n. 292729