On 02/15/2016 04:37 PM, Ken D'Ambrosio wrote: > Every time I think I'm getting to the point where I might understand IP > Tables, I do something that proves that, no, I really don't. Today's > confusion: I want to set up a virtual NIC to do port forwarding. But > first, I wanted to get the port forward part of the equation straight. > So I wound up executing these commands: > > iptables -t nat -A PREROUTING -p tcp --dport 8774 -j DNAT --to > 172.23.242.39:8774 > iptables -A FORWARD -d 172.23.242.39 -p tcp --dport 8774 -j ACCEPT > iptables -t nat -A POSTROUTING -j MASQUERADE > > Worked great. I then did an "ifconfig eth0:1 172.23.9.139 netmask > 255.255.255.0" to see if I could telnet to port 8774 on it. I could. > So then I did "iptables --flush", and it did. When I type "iptables > --list", I now get: > > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Terrific. Pretty much what I expected. Telnetting to port 8774 on eth0 > fails, as expected... but telnetting to port 8774 on the virtual works > great. I even fired up Firefox to make sure, and youbetchya, it's > interacting with the remote server.
Because you only flushed the "filter" table, which is the default table if you don't specify another one (e.g.: "-t nat", like you did when adding the rules to that "nat" table). "iptables -t nat --list" should show you that your DNAT and MASQUERADE rules are still in there. If you want to flush the "nat" table, you need to do: iptables -t nat --flush (the man page says that "iptables --flush" flushes the chains in "the table") -- "Don't be afraid to ask (λf.((λx.xx) (λr.f(rr))))." _______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/