> > > It is normally recommended *not* to do filtering in the nat or mangle > > > tables, however in this case if you really want to do what you say then > > > that is the solution. > > > > > > iptables -I PREROUTING -t nat -s 192.168.1.0/24 -d 192.168.10.10 -p tcp > > > --dport 80 -j DROP > > > > > > Note the -I which inserts the rule before the prerouting rule you listed > > > above. > > > > Thanks. > > > > > however in this case if you really want to do what you say then that is > > > the solution. > > > > Is there another and better way to redirect traffic to the inside ? > > Well, DNAT is normally used to map externally-accessible public IPs to real > internal systems on non-routable 10.x.y.z, 172.16.a.b or 192.168.c.d > addresses, therefore the problem never arises (since people across the > Internet can't send packets to the real private addresses even if they knew > what they were). > > There's isn't a "better" way to redirect traffic to other IP addresses, > however why do you think it's a problem for people to use the "real" address > instead of the one you're telling them to use. They have access to the > machine, so why does it really matter which address they use to connect to > it? > > Regards, > > Antony. > The problem is that many hosts, with this setup, actually is connected to the internet using a public ip, and beeing able to resolve internal ip-information is not good. Bo
