Hi Rio, I think the problem is in the destination IP address, you have to use the external IP, so i think the rule should be: iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d 211.1.1.10 --dport 80 -j SNAT --to 192.168.1.1 Hope this help Federico. Chris Wilson wrote: > Hi Rio, > > > > You need to SNAT internal connections so that replies go via the > > > firewall instead of directly to the client, otherwise the firewall > > > cannot reverse the DNAT and the client drops the reply packet. > > > Try this rule: > > > iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d 192.168.1.2 > > > --dport 80 -j SNAT --to 192.168.1.1 > > > > i dont know, i tried but it still wont connect to webserver. > > Connection Refused. > > Is it possible that an earlier rule in the POSTROUTING chain is overriding > this one? Could you try: > > iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.1.2 > -p tcp --dport 80 -j MASQUERADE > > If that doesn't work, please send your ruleset (iptables -L -n -v; > iptables -t nat -L -n -v) and tcpdump of packets on the internal interface > of your firewall when you try to connect. > > Cheers, Chris. > -- > ___ __ _ > / __// / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer | > / (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk | > \ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |
