Re: IPTables 1.2.5 on kernel 2.4.17 DNAT not working for me. Help!

Wed, 27 Feb 2002 04:56:32 -0800 

Thanks for your reply.  Please see my responses below.  First, here is the 
text from my initial request for help, restating my goal and config:
Please view this message in a fixed-width font, so you can see the ASCII 
art.  Box C is a client machine.  Box F is the firewall, and Box W is the 
web server.

                C
        +--------------+
     |--|141.140.200.5 |
     |  +--------------+
     |
     |
     |          F
     |  +--------------+
     |--|141.140.200.20|              W
        +              +      +--------------+
        |141.140.1.10  |------|141.140.1.18  |
        +--------------+      +--------------+

Goal:  No matter what HTTP URL the client C types, his web browser ends up 
at Box W.  I had this working at one point, months ago, and have lost my 
notes.  I am now too dumb to get it going again.  Strangely, I don't 
remember this as having been too difficult.

SysInfo: Firewall is RH 7.2 with kernel 2.4.17.  IPTABLES is v1.2.5, 
installed from the source, then the kernel recompiled.



--On Tuesday, February 26, 2002 2:30 PM -0800 "Darrell A. Escola" 
<[EMAIL PROTECTED]> wrote:

> On Tue, Feb 26, 2002 at 03:37:05PM -0600, Ted Fines wrote:
>> Hi all,
>
> ...
>
>> [root@dormsfw root]# iptables -L --line-numbers -t nat
>> Chain PREROUTING (policy ACCEPT)
>> num  target     prot opt source               destination
>> 1    DNAT       tcp  --  141.140.200.5        anywhere           tcp
>> dpt:http to:141.140.1.18
>> 2    DNAT       udp  --  141.140.200.5        anywhere           udp
>> dpt:http to:141.140.1.18
>>
>> Chain POSTROUTING (policy ACCEPT)
>> num  target     prot opt source               destination
>>
>
> This PREROUTING ruleset sends all tcp/udp traffic from 141.140.200.5 to
> ... 141.140.1.18 - whatever the original destination of the packet may
> have been.

Yes, this is exactly what I want to do--if only I could get it to work 
again!

>
> If this was your intention, you need to have a proxy server set up on
> ...18.

I have to contradict you here.  I had this working several months ago, and 
never setup any kind of proxy server.

>
> You probably wanted to set up a POSTROUTING rule to SNAT these packets to
> your public IP.

No, that's not what I wanted.

>
> If you do have a proxy server, you will need a SNAT rule to change the
> outbound packets from the proxy server to the internet to have a valid
> source IP.

Don't have a proxy server.

>
> Darrell

Reply via email to