OK, so let me see if I understand. I should put the DNAT rule before my INPUT rules. Then I should also have a FORWARD rule that forwards the traffic that has been translated to the new destination. Is this correct?
----- Original Message ----- From: "EtherMage" <[EMAIL PROTECTED]> To: "Yan Seiner" <[EMAIL PROTECTED]>; "Shaun Landau" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, February 19, 2002 1:20 PM Subject: Re: Can't get DNAT to work!!! > > 2. You ACCEPT the packets on your input chain first (meaning they go to > > the local box, and are routed per the routing table) and THEN you do > > DNAT. By the tiem you reach DNAT, all the port 80 bound packets have > > already been ACCEPTed by the INPUT chaing. Put the DNAT rules first > > (remember the ASCII art flow chart? prerouting, then input). > > Not true. DNAT is done in PREROUTING, which comes before INPUT. You need > to review that ASCII chart you mentioned. THEN, if the DNATted packet says > go to an IP owned by the firewall, the connection has to pass through the > INPUT chain. Otherwise, it'll go thru the FORWARD chain, and it will have > to pass _those_ filters - that's where you have to open port 80 for the DNAT > to work properly. > > -EtherMage > > OT PS: PLEASE, PLEASE, use a spell checker or at least look over your post > for typos before sending, it makes things so much easier to read. > >
