On Fri, Apr 15, 2005 at 10:40:39AM +0200, Samuel Díaz García wrote:
> Without having a look into your scripts, I think you need:
>
> 1) Allow INPUT into filter table to the port.
> 2) Allow FORDWARD into filter table to the redirected conection.
that's not exactly sagely advice. in a port-forwarding situation, all
you need is the nat PREROUTING DNAT rule and a filter FORWARD rule.
since the destination IP is translated "prerouting" the translated
packet will never traverse the filter INPUT chain.
three line guide to "port-forwarding:"
iptables -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 800 \
-j DNAT --to-destination $INSIDE_HOST
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXT_IF -p tcp --syn \
-d $INSIDE_HOST --dport 800 -j ACCEPT
-j
--
"Brian: She's a whiney little runt isn't she?
Brian: What? I said runt."
--Family Guy
