What does the -I do? and why is the order so important (just curious and wants to learn).
-- CUT HERE --
iptables -t nat -A POSTROUTING -o eth1 -d ! $INET_IP -j SNAT --to $INET_IP
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
## WWW Forwarding ...
iptables -A FORWARD -i eth1 -o eth0 -p tcp -d 192.168.1.30 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d $INET_IP --dport 80 -j DNAT --to 192.168.1.30:80
-- CUT HERE -- 2005-01-03 kl. 02.36 skrev Jason Opperisano:
On Sun, 2005-01-02 at 19:39, Andreas Pettersson wrote:## WWW Forwarding ... iptables -t nat -A PREROUTING -d $INET_IP -p tcp --dport 80 -j DNAT --to-destination 192.168.1.30 iptables -A FORWARD -d $INET_IP -p tcp --syn --dport 80 -m state --state NEW -j ACCEPT
the DNAT happens PREROUTING; which is before FORWARD--therefore, the destination IP at this point is 192.168.1.30; not $INET_IP.
iptables -t nat -A POSTROUTING -s 192.168.1.30 -p tcp --sport 80 -j SNAT --to-source $INET_IP
this is unnecessary; as the reply packets part of the DNAT-ed connection
will automatically be SNAT-ed, as nat is stateful.
however--you do not have a rule that allows replies from the web server--might i simply suggest:
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-j
-- "Well, I'm not calling you a liar, but... I can't think of a way to finish that sentence." --The Simpsons
-------------------------- ICQ: 1667613 MSN: neopocketsurf@xxxxxxxxxxx AIM: knxandyneo Mail: andreas@xxxxxxxxxxxx Skype: front.242 Mobil: 0702 45 78 03 Tfn: 019 764 80 18
