here is what I do and it works fine. iptables -t nat -A PREROUTING -d $EXT_IP -p tcp --dport http -j DNAT --to-destination $web_server_IP:80
iptables -t nat -A POSTROUTING -s $LAN_Subnet -d $web_server_IP -p tcp --dport http -j SNAT --to $firewall_lan_IP iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE hope this helps. ----- Original Message ----- From: "Antony Stone" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, July 10, 2002 11:46 AM Subject: Re: Destination NAT Onto the Same Network Problem > On Wednesday 10 July 2002 4:10 pm, Joe Patterson wrote: > > > > > <[EMAIL PROTECTED]> wrote: > > > > Oh. I knew you couldn't use -o in PREROUTING, because the routing > > > hasn't been done yet, but I would have thought that POSTROUTING would > > > remember where the packet came in from ? > > > > Yeah, that's always bothered me too. I'm sure there's a good reason, but > > it doesn't make sense to me. > > > > The way around it, of course, is to set a mark in mangle/PREROUTING on > > the -i interface, then check the mark in nat/POSTROUTING. Alternatively, > > you can of course use -s $INTERNAL_NET > > Using -s is easy enough for the internal network, but a bit bothersome for > the external network (!), so I like the suggestion for marking packets in the > mangle table and then checking the mark later on.... > > > > Antony. >
