On Wed, 2004-09-08 at 22:10, Tom Fischer wrote:
> Hi,
>
> i have a problem with DNAT. We have to move some services for a few days
> on another machine. So we want do DNAT on incoming Packets. I set
>
> iptables -A PREROUTING -t nat -s 0/0 -d xxx.xxx.xxx.xxx -p tcp --dport
> 9000-j DNAT --to xxx.xxx.xxx.xxx
since you didn't provide your rules, i'm gonna haveta ask a really
stupid question...
did you execute that command with the old DNAT rule in place? if
so--the new rule got appended to the end of the PREROUTING chain of the
nat table, after the old rule; therefore, will never get matched.
it would be helpful for us list-types to see the output of:
iptables -t nat -vnL
another thought--NAT happens first (PREROUTING), then filter rules. you
will need to edit your filter rule to allow traffic to "newserver's"
actual IP instead of "oldserver's" actual IP.
-j
--
Jason Opperisano <opie@xxxxxxxxxxx>
