Hmmm. I changed the default policy on my FORWARD chain to ACCEPT, so I didn't think I'd need to add a specific rule to it to get this to work. I will not finally be having FORWARD set to ACCEPT by default; I just set it as such while trying to set this up. Right now iptables -L looks like this:
[root@ns /root]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@ns /root]# Do I still need a forwarding rule? I've tried adding this rule: [root@ns /root]# iptables -A FORWARD -d 141.140.1.18 -j ACCEPT ...but it doesn't change the behavior at all. Could you be more specific? I've read the NAT-HOWTO, <http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html>, buts its examples on DNAT do't mention adding anything to the FORWARD chain, so I'm a little lost here. Thanks, Ted Fines >Hi >you forgot about the forward rule. >iptables -t nat -A ...and so on is one thing. >now you also must forward the stuff >iptables -A FORWARD -s ...blablabla >HTH, >Philipp > > > Hi all, > > I'm using iptables 1.2.2 on a RH box running kernel 2.4.4. > I'm trying to > set up something that I did once a long time ago, but alas I > seem to have > forgotten how to do it. > > The firewall has two NICs. I want all WWW requests coming > through eth0 to > get sent to a specific web server. As in, no matter what URL > the user > tries to access, they always go to a specific web server. Here's the > command I remember working but doesn't seem to: > iptables -t nat -A PREROUTING -i eth0 -p tcp \ > --dport http -j DNAT --to 141.140.1.18 > > Then I check what my ruleset is by using iptables -L -t -nat: > [root@ns /root]# iptables -L -t nat > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > DNAT tcp -- anywhere anywhere > tcp dpt:http > to:141.140.1.18 > > I also double-check my mangle and filter tables to make sure > I don't have > some leftover rule there that is messing this up. Both those > tables are > empty. > > This looks right to me, but here is what happens to a client. If the > client tries to access the web server on 141.140.1.18, it > works. If the > client tries to access any other web server, the client's web > browser just > hangs. And I have tested the client's behavior without any > rules, and > accessing anything works fine, so I don't think there's some kind of > routing problem. I've also tried adding the rule to the > OUTPUT chain, but > that doesn't work either. > > Like I said, I had this working at one time, so I know it can > be done. > What am I missing? > > Thanks in advance, > Ted Fines > >
