On Thursday 31 October 2002 08:33 pm, Thomas Meindl wrote:
> okey, let's start again for the correct guys out there
> here's my original script which i have testet since two days
> doing all kinds of variations and combinations anyone could think of
> my problem is situated at the PREROUTING chain with DNAT
> I simply want a portforward
{Snip a few dozen lines :^}
> echo "forwarding port 1234 to 192.168.0.2:80.."
> $IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d www.xxx.yyy.zzz \
> --dport 1234 -j DNAT --to 192.168.0.2:80=20
> $IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -d 192.168.0.2 \
> --dport 80 -j ACCEPT=20
> $IPTABLES -t nat -A POSTROUTING -p tcp -o $EXTIF -s 192.168.0.2 \
> --sport 80 -j SNAT --to www.xxx.yyy.zzz:1234
umm. Have you tried this with "-j DNAT --to-destination"? =20
Also, I think the third rule should go. In the situation you've outlined=
,=20
Netfilter should handle the reversal of your DNAT operation automatically=
=2E
Wouldn't "$IPTABLES -A FORWARD -p tcp -d 192.168.0.2 --dport 80 -j ACCEPT=
" be=20
sufficient for forwarding?
> echo "allow all connections out and only existing and related ones in..=
"
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state \
> --state ESTABLISHED,RELATED -j ACCEPT=20
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> $IPTABLES -A FORWARD -j LOG --log-prefix "FIREWALL (FORWARD Chain): "
>
> echo "enabling snat (masquerade) functionality on $EXTIF.."
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
Question to list: At what point in its own travels does the returning pa=
cket=20
get automatically un-DNATed? Prerouting again?
j
