/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */
Hi, I am having a bit of trouble trying to figure out DNAT. Odd thing is SNAT is working fine for me. #################### $iptables -t nat -A POSTROUTING -o $inet_if -j SNAT --to-source $inet_ip #################### Just simply trying to forward port 80 to an internal web server with the following rule: ##################### $iptables -t nat -A PREROUTING -p tcp -d $inet_ip --dport 80 -j DNAT --to-destination $lan_svr:80 ##################### I have tried connecting to the site with internal, and external addresses. No go. When I view dmesg I see that everything is right (incoming nic, where its destined, port etc) however its being dropped by the forwarding chain. ################## FORWARDING SECTION ##################### # Bad packets go here $iptables -A FORWARD -p tcp -j bad_tcp # Forward the packets that come from the lan. $iptables -A FORWARD -i $lan_if -j ACCEPT # Anything already established is good.<-- possibly here? add a SYN ? $iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Log, but only 3 per minute. $iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "FORWARD packet died:" ######################### END ############################# Is there a module im missing that SNAT would work ok, however DNAT needs to have installed? I tried for kicks to enable a rule to forward packets from the $inet_nic --> #internal_server, but this didnt help either, however now I couldnt view an actual forward drop message from an external server trying to make the pass through the firewall to the internal web site.. it just didnt work period. After removing the entry, I was back to the Forward packet died error in dmesg. This is my first run with iptables, so sorry if this is elementary. Another lil question: Is there any way to actually block destination addresses via URL and not ip with iptables? Thanks SO much. -- TCook _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
