Hello all,
I am still stuck with my DNAT. I updated the information
that was requested. Could you please check my config, if I execute this I can not ping my internal lan ip of this host 172.25.239.208 any more. I think this is really wierd. I included all kinds of information, hopefully enough for you guys to take a look at.
Cheers,
Bert
$IPTABLES -t nat -A PREROUTING -d 172.25.239.220/27 -j DNAT --to-destination 11.0.0.16
$IPTABLES -t nat -A OUTPUT -d 172.25.239.220/27 -j DNAT --to-destination 11.0.0.16
The dest ip address/mask pattern looks odd. I am not sure how this address matching works, but the way I imagine it to work is that a mask is generated and applied to an address to test and then this is compared to the address given. That is, I think the address given is not masked. If this is so, then there might be a failure to match destination addresses.
I think a /27 mask is meant to select a contiguous group of 27 addresses, that is 5 bits. I think masking the 5 low bits of a number like 220 or 208 gives 192 (xC0) and a rule like .192/27 would match addresses in the range 192-223 (xC0-xDF), where .220/27 might match nothing.
Of course, the code might be written another way, where this would not be a problem.
You could try logging what is happening or looking at the counts to see if the rules are matching. I think this will do it:
iptables -L -t nat -nvx
Jim
