OK, I think I have moved forward to some extent. I added this rule before all other rules:
$IPTABLES -t nat -p tcp -A PREROUTING -d $EXTIP --dport 80 -j DNAT --to 192.168.1.2:88 Then I added the forwarding rule later in the script: $IPTABLES -A FORWARD -d 192.168.1.2 -j ACCEPT This works as expected for traffic coming through the external interface, i.e. the internet. But when I try to access from my LAN (incidently also the destination machine for the DNAT rule, i.e. 192.168.1.2) it doesn't work. My understanding is this: 1) The DNAT prerouting rule changes the destination of the packet so that it is no longer targetted to the firewall/internet machine. 2) Now that the destination is no longer the firewall machine, the only rules that apply to the packets are forward rules, since the packet did not orginate from the firewall machine (otherwise output rules would apply too?) Is this correct? Why isn't the DNAT working from within the LAN? BTW, thanks for your help! ----- Original Message ----- From: "Yan Seiner" <[EMAIL PROTECTED]> To: "Shaun Landau" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, February 19, 2002 2:52 PM Subject: Re: Can't get DNAT to work!!! > Shaun Landau wrote: > > >OK, so let me see if I understand. I should put the DNAT rule before my > >INPUT rules. Then I should also have a FORWARD rule that forwards the > >traffic that has been translated to the new destination. Is this correct? > > > >Here's how I forwarded some stuff: > > > > $IPTABLES --table nat -p udp --append PREROUTING \ > --source $OUTSIDE --destination $EXT_IP -m multiport --dports > xxx,yyy,zzz \ > -j DNAT --to 192.168.129.3 > > and then my forward and output rules: > > $IPTABLES -A OUTPUT --destination 192.168.0.0/16 -j ACCEPT > $IPTABLES -A FORWARD --source 192.168.0.0/16 --destination > 192.168.0.0/16 -j ACCEPT > > > This worked fine until I obsoleted that particular server. > > --Yan > > > > > > > > > > > >
