Le lun 06/10/2003 à 15:19, Venkatesh. K a écrit : > You have to get the concept of DNAT right. DNAT only works when the DNAT ip > address is on seperate subnet. You can DNAT to the same subnet providing you SNAT the forwarded flow with redirector IP. 192.168.1.3 ----> 192.168.1.2 ----> 192.168.1.1 On 192.168.1.2 : iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT \ --to 192.168.1.1 iptables -t nat -A POSTROUTING -p tcp -d 182.168.1.1 \ --dport 80 -j SNAT --to 192.168.1.2 This prevent 192.168.1.3 to reply 192.168.1.2 directly, ans thus confusing 192.168.1.1. It's a common issue for people thrying to reach an inside host belonging to the same subnet via its public DNAT IP. >From OP : >> iptables -t nat -A POSTROUTING -p tcp --sport 80 -j SNAT >> --to-source 192.168.1.2 This is not needed as returning packets for natted connections are automaticly handled through conntrack engine. By the way, I would have set this up using a simple TCP port redirector like redir. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
