On Tuesday 17 February 2004 8:26 am, Oriol Magrané wrote:
> I'm telnetting from the machine with the netfilter rules on it (so you
> say that it won't work).
> But why it won't work?
Because the PREROUTING rule applies to packets coming in to the machine from
the network, before they get routed, either locally or remotely.
Packets which start on the machine itself do not go through PREROUTING.
> Is there any other way to achieve it?
Sure - run the telnet command from a machine inside your LAN, or else connect
to the correct address & port from the firewall.
The first (telnet from a LAN machine) would be the best choice, because this
is more representative of how you want the system to work in practice
(because surely you don't have any applications generating packets running on
your firewall itself, do you :) ?)
You might be able to get the DNAT target in the OUTPUT chain working (although
I have seen reports that people find this problematic, and I've never needed
to use it). The OUTPUT chain is the correct place for you to do this,
because that and POSTROUTING are the only two chains your locally-generated
packets will go through.
Regards,
Antony.
> ----- Original Message -----
> From: "Antony Stone" <Antony@xxxxxxxxxxxxxxxxxxxx>
> To: <netfilter@xxxxxxxxxxxxxxxxxxx>
> Sent: Tuesday, February 17, 2004 1:26 AM
> Subject: Re: Simple newbie's question
>
> On Monday 16 February 2004 5:29 pm, Oriol Magrané wrote:
> > Hello!!
> > I have a linux box (with ip 192.168.4.172) connected to the Internet
> > through an ADSL router (with ip 192.168.4.10). Now I'd like to do some
>
> port
>
> > forwarding on the box itself, so that outgoing connections to port 80 of
> > host 212.59.199.45 goes to port 110 of host 212.59.199.75.
> >
> > So I do:
> >
> > iptables -t nat -A PREROUTING -p tcp -d 212.59.199.45 --dport
>
> 80 -j
>
> > DNAT --to 212.59.199.75:110
> >
> > Which it seems the logical thing to do.
> > But when I telnet 212.59.199.45 80 the kernel continues to send
>
> packets
>
> > to port 80 of 212.59.199.45 ignoring my wishes and commands. What am I
> > doing wrong?
>
> 1. Where are you testing the telnet from? The machine with the netfilter
> rules on it (won't work) or a machine on your LAN which is routed through
> the
> netfilter machine (should work)?
>
> 2. Do you have a suitable FORWARD rule to allow the packets to get to
> 212.59.199.45 TCP port 110?
>
> Regards,
>
> Antony.
--
This email is intended for the use of the individual addressee(s) named above
and may contain information that is confidential, privileged or unsuitable
for overly sensitive persons with low self-esteem, no sense of humour, or
irrational religious beliefs.
If you have received this email in error, you are required to shred it
immediately, add some nutmeg, three egg whites and a dessertspoonful of
caster sugar. Whisk until soft peaks form, then place in a warm oven for 40
minutes. Remove promptly and let stand for 2 hours before adding some
decorative kiwi fruit and cream. Then notify me immediately by return email
and eat the original message.
Please reply to the list;
please don't CC me.
