On Wed, Sep 10, 2003 at 11:22:53PM +0530, Payal Rathod wrote: > Hi, > I had kept the default policy of FORWARD as drop. > Now, I wanted to see an internal machine from internet. So, I used > DNAT as, > > iptables -A PREROUTING -t nat -d <ext ip> -j DNAT --to <int ip> > It didn't work. When I set the default FORWARD policy to ACCEPT it > worked. > > What is a better approach? I want to have a default DROP in FORWARD > chain. My FORWARD chain looked like this, Keep the default "DROP" policy and just open whatever is needed including the DNAT'ed packets coming in. The place of the ESTABLISHED,RELATED rule should be at the top of your rule set. Ramin
