Let me see if I've got this right. With: LANDEV="eth0" INETDEV="eth1" iptables -P FORWARD DROP (obviously not my whole iptables setup, but what I hope is relevant)
If I'm going to open port 80 and direct outside connections to an internal box, I'll need:
iptables -t nat -A PREROUTING -i $INETDEV -p tcp --dport 80 -j DNAT \
--to-destination 192.168.1.10...but in addition to this, I'll need:
iptables -A FORWARD -i $INETDEV -d 192.168.1.10 -j ACCEPT
I was logging dropped packets with the 192.168.1.10 destination before I added the above FORWARD entry and now it works. Is this the "right" way to perform port forwarding? Is there a more optimal method? (Full iptables script available, but I thought I'd not deluge the list yet.)
