Hello, thanks Jörg for the help. It helped me solve the problem. First I had to enable forwarding on the machine (echo 1 > /proc/sys/net/ipv4/ip_forward). Then I wrote four rules, one for postrouting and one for prerouting, and two for forwarding to and from the new destination. And everything works :) thanks any have a nice weekend. Christoph Am 1 Apr 2005 um 17:57, schrieb Jörg Harmuth: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Christoph, > > unfortunately you don't provide any information about your rule set. > So this is only a wild guess. > > I assume your ruleset looks something like this: > > iptables -L -t nat: > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > DNAT tcp -- anywhere anywhere tcp \ > dpt:15000 to:10.1.1.2:80 > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > MASQUERADE all -- anywhere anywhere > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Also assuming, that a client - say 10.10.10.3 - tries to connect to > 10.10.10.1:15000 you have a conntrack entry like this: > > cat /proc/net/ip_conntrack | grep -i unreplied: > tcp 6 80 SYN_SENT src=10.1.1.3 dst=10.1.1.1 sport=1759 \ > dport=15000 [UNREPLIED] src=10.10.10.2 dst=10.10.10.3 sport=80 \ > dport=1759 use=1 > > As you can see client 10.10.10.2 gets an answer package from > 10.10.10.3 but expects the answer from 10.10.10.2. If this is your > scenario you need SNAT too, eg: > > iptables -t nat -A POSTROUTING -p tcp -d 10.10.10.2 -- dport 80 -j SNAT \ > - --to 10.10.10.1 > > Another possibility is that you didn't allow this traffic in your > FORWARD chain and the policy is DROP (REJECT). Something like this > makes it work: > > iptables -A FORWARD -p tcp -d 10.10.10.2 --dport 80 -m state --state \ > NEW,ESTABLISHED,RELATED -j ACCEPT > > iptables -A FORWARD -p tcp -s 10.10.10.2 --sport 80 -m state --state \ > ESTABLISHED,RELATED -j ACCEPT > > If you need further help, please post your rule-set. > > HTH and have a nice time > > Jörg > > > Christoph Galuschka schrieb: > > > Hello, > > > > I've tried the whole day setting up NAT and it won't work. I have > > the follinwg situation: I have a proxy server (the machine running > > NAT) and various other machines. I want the proxy server to NAT > > some incoming connections to other machines. ie: A connection to > > the proxy (10.1.1.1) on port 15000 should go to another machine > > (10.1.1.2) on port 80 via the proxy. I have already managed a > > locale NAT (meaning chaning ports ie from 15000 to 80 on the > > proxy), but as soon as I try to DNAT to another machine it won't > > work anymore. > > > > Any help would be apprechiated. > > > > thanks, happy weekend an regards Christoph > > > > > - -- > - ----------------------------------------------------------------------- > mnemon > Jörg Harmuth > Marie-Curie.Str. 1 > 53359 Rheinbach > > Tel.: (+49) 22 26 87 18 12 > Fax: (+49) 22 26 87 18 19 > mail: harmuth@xxxxxxxxx > Web: http://www.mnemon.de > PGP-Key: http://www.mnemon.de/keys/harmuth_mnemon.asc > PGP-Fingerprint: 692E 4476 0838 60F8 99E2 7F5D B7D7 E48E 267B 204F > - ----------------------------------------------------------------------- > Diese Mail wurde vor dem Versenden auf Viren und andere schädliche > Software untersucht. Es wurde keine maliziöse Software gefunden. > > This Mail was checked for virusses and other malicious software before > sending. No malicious software was detected. > - ----------------------------------------------------------------------- > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.5 (MingW32) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFCTW9ot9fkjiZ7IE8RAvtQAKDz5Fx6w8Kb4ZGxPriU7 RCRBPPA+wCg6Ptk > a6MktEG9Y9O0ZVoE2QSbkuY= > =eoTF > -----END PGP SIGNATURE----- > >
