Hi Prerouting is processed first, but you don't need to open port in INPUT. Packets must go through FORWARD table, so you may need something like:
iptables -A FORWARD -i ppp0 -p tcp -d 192.168.1.2 --dport 2222 -j ACCEPT You can see a usefull "netfilter map" here : http://www.admin2k.com/Netfilter_path.png -- Jean-Michel RAUX Administrateur systeme - T-Online France Tel : 01 55 45 43 88 - [EMAIL PROTECTED] On Fri, Jun 21, 2002 at 10:15:35AM +0200, Jan R?ther wrote: > Hi there, > > i have just a simple question about iptables. I got a router running > debian with iptables. The Standard Policy's for all chains are DROP. Now i > want to masq/route a few specific ports to some boxes inside my LAN, all > with 192.168.1.x addresses. I do that with: > > iptables -A PREROUTING -t nat -i ppp0 -s 0/0 -p tcp --dport 2222 -j DNAT > --to 192.168.1.2 > > My question is now, will that rule be processed before the standard INPUT > policy gets applied? Or do i have to add a: > > iptables -A INPUT -i ppp0 -s 0/0 -p tcp --dport 2222 -j ACCEPT > > before the PREROUTING thingie? > > Jan > > ----- > Jan Räther > Universität Hamburg > Zentrum für Molekulare Neurobiologie > Service-Gruppe EDV > Falkenried 94 > 20251 Hamburg > Germany > Tel.: 040 - 428 - 03 - 6619 > Fax.: 040 - 428 - 03 - 6621 > > Tell a man there are 300 billion stars > in the universe and he'll believe you. > Tell him a bench has wet paint on it > and he'll have to touch to be sure. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
