On Tuesday 11 February 2003 02:44 pm, Andreas Meyer wrote: > Hello all! > > > I have problems getting PREROUTING to work. > I defined two simple rules: > > iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.1.210 --dport > 80 -j DNAT --to 192.168.1.3:3128 > iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.1.210 --dport > 110 -j DNAT --to 192.168.1.75:110 > I try to telnet to the iptables-host from workstation: > > telnet 192.168.1.210 80 > and the connection times out. Yep, It will do that. Assuming you have FORWARD rules that would allow this traffic, and that eth0 is the LAN, the problem is likely this: you telnet to 192.168.1.210 from a client on the LAN, and it DNATs the connection to another IP in the same subnet. The final recipient if that initial connection (whether back to the same machine, or to the other one) replies DIRECTLY to the initiating client, (it recognizes that the client is local to it) instead of back through the iptables-host to be unDNATted, so the response DOESN'T come from 192.168.1.210, is discarded silently by the client, and never even hits the iptables-host on the return trip. The client keeps waiting for a response from 192.168.1.210, and eventually times out. For connections from OUTSIDE the LAN, it is sufficient to use the PREROUTING rule just as you have it, along with the appropriate FORWARD rules to allow the connection through both ways. (since the return traffic would go through iptables-host anyway, according to your diagram) If you need to connect from inside the LAN, you will also need a POSTROUTING rule to SNAT those specific connections so they appear to originate from iptables-host, ensuring that the return packets come back there to be unDNATted (and now unSNATted as well) and forwarded back to the client. > I have no clue what is going on. No entries in the logs, nothing. > > ## Logging > iptables -N nirwana > iptables -A nirwana -p ICMP -j LOG --log-prefix "verw. ICMP Paket " > --log-level info iptables -A nirwana -p UDP -j LOG --log-prefix > "verw. UDP Paket " --log-level info iptables -A nirwana -p TCP -j > LOG --log-prefix "verw. TCP Paket " --log-level info iptables -A > nirwana -j DROP > > iptables -A INPUT -j nirwana > iptables -A FORWARD -j nirwana > iptables -A OUTPUT -j nirwana You should be catching the initial packet in the FORWARD chain's TCP log rule. However, to use LOG as an on-the-fly trace tool, you should usually use "-I FORWARD 1" to ensure no other rule ACCEPTs the packet before it is LOGged. The packet would never go to INPUT or OUTPUT with a DNAT. j
