Payal, You need to add a second simple entry: Look at the entries below. I'm mapping an entire IP but this would be simple to just to a single port. The second POSTROUTING line is what made everything work for my typical firewalls. # Completed on Mon Jul 11 10:58:27 2005 # Generated by iptables-save v1.2.11 on Mon Jul 11 10:58:27 2005 *nat :PREROUTING ACCEPT [2547:176804] :POSTROUTING ACCEPT [633:40896] :OUTPUT ACCEPT [40:4518] -A PREROUTING -d 81.45.25.50 -j DNAT --to-destination 10.94.16.50 -A POSTROUTING -s 10.94.16.50 -o eth0 -j SNAT --to-source 81.45.25.50 -A POSTROUTING -s 10.94.16.50 -d 10.94.16.0/255.255.255.0 -j SNAT --to-source 81.45.25.50 -A POSTROUTING -o eth0 -p ! ipv6-crypt -j SNAT --to-source 81.45.25.50 -A OUTPUT -d 81.45.25.50 -j DNAT --to-destination 10.94.16.50 COMMIT # Completed on Mon Jul 11 10:58:27 2005 > -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter- > bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Payal Rathod > Sent: Monday, July 11, 2005 8:19 AM > To: Netfilter ML > Subject: dnatting > > Hi, > I have a rule on my friend's broadband connection to redirect traffic > from outside to an internal machine like, > > iptables -A PREROUTING -d 1.2.3.4 -p tcp -m tcp --dport 80 -j DNAT \ > --to-destination 192.168.10.10:80 > > But she complained that people from inside the network cannot do > http://1.2.3.4 in their browser and see the site. Is she correct? > What is wrong with my rule because I can see the site from outside? > > Thanks in advance. > With warm regards, > -Payal > >
