On Sat, 2003-04-19 at 07:54, Robert P. J. Day wrote: > in a book i'm reading discussing (among other things), > setting up DNAT, there is a sample rule: > > # iptables -t nat -A PREROUTING -i eth0 -o eth1 > -d <internal server IP address> > -j DNAT --to-destination 192.168.0.1 > > the question: how can the explicit specification of the > "-o" interface affect this? > > after all, it's quite possible that the interface that > would normally be chosen to forward to the internal > server would not be the one listed with "-o". (perhaps > the admin made a mistake.) > > if there is an obvious conflict here, what happens? > does this DNAT just go unsatisfied? Everything before "-j" is matching, the "-j" tells it what you want done if the packet matches. So the "-o" is simply testing which interface the packet is targetted to go out. The problem here is that the "-o" match isn't valid in PREROUTING, since (as the name implies) it takes place before the routing decision, so the destination (obviously since this is where we can DNAT) and therefore the outbound interface are still unknown. So there IS a conflict here, between "-o" and PREROUTING in a sense, and the result will be that the rule won't even be created. If you try to enter this rule manually you will be informed "Can't use -o with PREROUTING". > rday j
