DNAT on OUTPUT works just fine ONLY if you applies the local-nat.patch
from patch-o-matic.
[root@firewall root]# iptables -t nat -nL -v
[ ..... ]
Chain OUTPUT (policy ACCEPT 15826 packets, 777K bytes)
pkts bytes target prot opt in out source
destination
88 3872 DNAT tcp -- * lo 0.0.0.0/0
my.external.address tcp dpt:80 to:192.168.9.14:80
0 0 DNAT tcp -- * lo 0.0.0.0/0
my.external.address tcp dpt:20 to:192.168.9.14:20
0 0 DNAT tcp -- * lo 0.0.0.0/0
my.external.address tcp dpt:21 to:192.168.9.14:21
Sincerily,
Leonardo Rodrigues
----- Original Message -----
From: "Kellogg, Chris" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, June 10, 2002 11:11 AM
Subject: RE: Anyone using DNAT on the OUTPUT chain?
> Hi, Antony
>
> > On Monday 10 June 2002 1:45 pm, Kellogg, Chris wrote:
> >
> > > iptables -A OUTPUT -s 192.168.0.0/24 -p tcp --dport 80 -t
> > nat -j DNAT
> > > --to-destination 192.168.4.4:80
> > >
> > > When I attempt to put this rule in, I get the error message
> > "iptables:
> > > Invalid argument".
> >
> > I should think it's the -s argument which netfilter is
> > complaining about - it
> > makes (almost) no sense to include this in a rule which only
> > applies to
> > packets coming from the local machine.
>
> ACK! Talk about a serious brain cramp - I completely forgot that the
OUTPUT
> chain is for outbound connections sourced from the NetFilter box.
>
> > I assume you really are trying to DNAT packets originating
> > from the netfilter
> > box, and not ones which are being routed by it (which you
> > would do in the
> > POSTROUTING chain) ?
>
> I want to redirect packets being routed by the NetFilter box. I guess
that
> means I need to use the PREROUTING change to handle these packets...since
I
> need the DNAT option, and that only on the PREROUTING and OUTPUT chains -
> and OUTPUT won't work. :)
>
> > Antony.
>
> Thanks for helping me pull my head out of my posterior.
>
> Any ideas on alternative methods to do what I'm trying to do?
>
> Cheers,
>
> Chris.
>
