On Monday 10 March 2003 01:05 am, Mcminn, Matt 8869 wrote: > What I want to do is map port 80 on the external interface > (eth0) to port 80 on my internal (eth1) 192.168.0.2 ip > address. So what I thought would do this is: > > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j > DNAT --to 192.168.0.2 > iptables -I INPUT -d 192.168.0.0/32 -j ACCEPT First part is right, second is wrong. Once you DNAT it, it is no longer destined for the machine running iptables, so it goes to FORWARD chain, not INPUT chain. (also you have problems with that rule's construction: using "-I" you should specify a rule number to insert before, like "-I INPUT 4" to make it the 4th rule, plus your /32 mask will only match that single IP...) Just change your second rule to: iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT and the request will reach the local server. Getting the reply traffic back out is a separate issue in FORWARD. If you don't already have outbound traffic ACCEPTed, you'd need something like one of these: iptables -A FORWARD -s 192.168.0.2 -p tcp --sport 80 -j ACCEPT or iptables -A FORWARD -s 192.168.0.2 -m state --state \ ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -d 192.168.0.2 -m state --state \ ESTABLISHED,RELATED -j ACCEPT The second pair (using the state match) is preferable, since they will also allow ICMP traffic related to the HTTP connection. If you already have connectivity from the local machines through this box to the internet then you probably don't need anything for outbound replies. Also, the state pair is subsumed in the more general rule: iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT which is commonly used to allow those two states to pass the FORWARD chain in any direction. j
