No joy yet. Have new box B w/fully updated RH 7.3. Uninstalled ipchains so iptables could run. Added rules shown below with 8080 changed to 80. Rules are visible in iptables -L -v. But when I sniff the client attempting to browse http://10.5.6.7 from same subnet, it's issuing SYNs with no reply. Same whether httpd is up/down on 10.5.6.7. Client can ping both B and A no problem. Should netstat -an show listening on 80? Am I missing a fundamental setting that determines whether linux will forward packets at all? This box has an eth1 that's down...would it help to remove it? Or connect it?! Disabling wccp redirection on the router to the webcache doesn't help...client and B are in same subnet anyway. Is nothing simple :-0 ? Paul -----Original Message----- From: "Rob Sterenborg" <rsterenborg@xs4all.nl> To: <netfilter@lists.netfilter.org> Date: Mon, 23 Dec 2002 08:46:31 +0100 Subject: RE: RE: Can iptables create alias IP for another box? > > Port 80 : webserver ? > > Port 8080 : web-proxy ? > > Don't need 8080 if iptables on B can do: > > client(tcp/80)--> boxB--> boxA--> boxB--> client Sure. > I'd try : > iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > iptables -A FORWARD -d 1.2.3.4 -p tcp --dport 80 -j ACCEPT > iptables -t nat -A PREROUTING -d 10.5.6.7 -p tcp --dport > 8080 -j DNAT --to-destination 1.2.3.4:80 Change 8080 into 80. > A & B have one interface each, on different subnets routed to each other. Well, if A can see B (and vice-versa) there hould be no problem I think. Rob
