On Sun, Mar 07, 2004 at 05:22:00AM +0100, D. Benz wrote: > I made this rule for portforwarding: > > (1) iptables -t nat -I PREROUTING -i $ext_if -p tcp --dport > $port -j DNAT --to $local_ip:$local_port > > But a client connection from outside on that specified service port couldn't > be established. iptables -vL shows me not a single packet has hit that rule > and therefore didn't pass through the FORWARD chain which of course has to > be set to ACCEPT by default or in my case when DROP is default another rule > like > > (2) iptables -I FORWARD -i $ext_if -o $int_if -p tcp --dport > $port -j ACCEPT > > is needed. > > ip_forward is enabled. > > Anyone having an advice?
You also need iptables -I INPUT <etc> if you've got a destructive policy or late rule. And, from memory, you don't need the FORWARD rule, as the NAT table bypasses it (as I say, from memory, if it doesn't work without it, obviously I need to recache that info). - Matt
