>You should add an SNAT rule, so your inside box is able to answer to the >outside connection from privat IP (10.0.0.112). This is not neccessary true, this isn't a requirement until the 10.0.0.112 machine needs to make the first move and make an outgoing connection (SYN), only then you would need SNAT. DNAT connections should be handled fine with ip_conntrack. Thanks, ____________________________________________ George Vieira Systems Manager georgev@xxxxxxxxxxxxxxxxxxxxxx Citadel Computer Systems Pty Ltd http://www.citadelcomputer.com.au -----Original Message----- From: Szabo Nandor [mailto:medve@xxxxxxxxxx] Sent: Wednesday, May 21, 2003 7:49 PM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: nat no traffic returns B. van Ouwerkerk writes: > This one is really starting to get me. > > I have worked with iptables before without connections started from the > outside. In this case I need to allow connection from the outside to go to > a box on the inside. > > I was under the impression that a rule like: > > iptables -t nat -A PREROUTING -i eth0 -p tcp -d public_ip --dport 3389 -j > DNAT --to 10.0.0.112:3389 > > would send the incoming packets to the inside box. And that: > > iptables -A FORWARD -i eth1 -o eth0 -s 10.0.0.112 -j ACCEPT > or > iptables -A FORWARD -i eth1 -j ACCEPT > > Should send any reply from the inside box to the world. > But it isn't happening :( You should add an SNAT rule, so your inside box is able to answer to the outside connection from privat IP (10.0.0.112). #iptables -A POSTROUTING -s 10.0.0.112 -o eth0 -j SNAT --to-source public_ip Nandor Szabo
