Hello list... I've read a lot in the archive about DNAT/loopback and redirect, but I still haven't found what I'm looking for (ok, I had some U2 in my mind at that time. Don't you now ? :-) My configuration can be simplified as this (configuration is far more complicated, but I assume you only need revelant informations) : - a linux routeur/firewall/sshd/squid/etc with two interfaces (LAN -RFC1918 - and WAN static official IP) - a LAN machine hosting a P2P service (PixVillage photo sharing - nothing illegal) - the P2P protocol only knows about the WAN IP of the linux box. I've configured PREROUTING entries and associated POSTROUTING which works perfectly from internet or another machine on the LAN. A simple extract : $IPTABLES -t nat -A PREROUTING -d $FW_INTERNET -p tcp --dport 3739 -j DNAT --to-destination 192.168.38.9:3739 $IPTABLES -t nat -A POSTROUTING -s $LAN -d $LAN -p tcp --dport 3739 -j SNAT --to-source $FW_INTERNET My problem is from the linux box when trying "telnet [official WAN IP] 3739" which replies "connection refused". "tcpdump -nt -i lo" shows a simple SYN then RST. I've add LOG to chains (INPUT/FORWARD/OUTPUT/PREROUTING/POSTROUTING) and found this telnet connection does not go via the PREROUTING chain. So it doesn't find any local 3739 port listening so it is not redirected to the LAN... When I fire up a netcat listing on the port, I can get the connection - off course (but as I said before, configuration is more complicated and this test was mandatory) I've read in the archive this might be the normal behaviour, PREROUTING chain being used only for external and not loopback connection. Is that true ? Is there a solution via iptables to solve this ? Or should I set up a local proxy listening on loopback to relay from 3739 to the remote machine as if DNAT didn't exists ? Is so, can someone suggest a generic tcp proxy I could use (even if this would be the worst solution since I don't have only one port to relay like that...) Thanks a lot !
