This is correct for when you have an internal website running on 192.168.0.1 and your application on the firewall wants to browse it, the DNS will resolve to the external IP address and your firewall won't be able to connect to it because the IP doesn't exist.. do you have to DNAT it's OUTPUT connection to it.. The reason for the error is most likely because the old (and possible still current) version of iptables had a NAT OUTPUT bug which fails when trying to NAT the OUTPUT chain.. there's a p-o-m called "local-nat" or something which is the fix for this. -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx]On Behalf Of cc Sent: Thursday, July 31, 2003 6:55 PM To: Netfilter Group Subject: iptables tutorial on DNAT Hi, I was reading the DNAT part of the IPTABLES tutorial and have encountered quite confusing. In section 6.5.2, near the end it writes: iptables -t nat -A OUTPUT --dst $INET_IP -p tcp --dport 80 \ -j DNAT --to-destination $HTTP_IP Is this a mistake? I used the above line (with some modifications to suit my setup) and I get an invalid agrument. Also, I noticed that the DNAT rules doesn't include the -i eth? argument. Is it necessary? Any clarifications appreciated. Edmund ** All information contained in this email is strictly ** ** confidential and may be used by the intended receipient ** ** only. **
