On Thursday 31 October 2002 8:27 am, Renato Rossi wrote: > Hi Antony > I'm sorry for my accademical English! > I've a lot of problem with DNAT, > I've web server (192.168.2.1/24) behind a dual homed firewall ($EXT=eth0 > $EXT_IP=A.B.C.D $INT=eth1 $INT_IP= 192.168.2.252) > I set up DNAT roule and I can see packets with iptables -L -v -t nat, but > no pakets wolk my internal lan (I use ethereal) > I modify my rule to view if I can telnet web server in port 80 and all is > ok SNAT work fine > > # SNAT > $FW -t nat -A POSTROUTING -o $EXT -s $INT_NET -j SNAT --to-source $EXT_IP > > # DNAT > $FW -t nat -A PREROUTING -p tcp -i $EXT --dport 80 -j DNAT --to-destination > 192.168.2.1 > > # FORWARD > $FW -A FORWARD -i $EXT -p tcp --dport 80 -d 192.168.2.1 -j ACCEPT > $FW -A FORWARD -o $EXT -p tcp --dport 80 -s 192.168.2.1 -j ACCEPT > > How can I resolv it?? There's no problem with the rules above. Are you sure your ISP is allowing incoming connections on TCP port 80 ? Try putting a LOG rule into your PREROUTING chain to log TCP port 80 packets and see if anything seems to be coming in to the firewall at all. Antony. -- The difference between theory and practice is that in theory there is no difference, whereas in practice there is.
