On Mon, Jul 11, 2005 at 12:09:44PM -0700, Gary W. Smith wrote: > Payal, > > You need to add a second simple entry: [...] Thanks this solved it. Thanks again. Now I am curious why Jason didn't suggest this. With warm regards, -Payal > > Look at the entries below. I'm mapping an entire IP but this would be > simple to just to a single port. The second POSTROUTING line is what > made everything work for my typical firewalls. > > # Completed on Mon Jul 11 10:58:27 2005 > # Generated by iptables-save v1.2.11 on Mon Jul 11 10:58:27 2005 > *nat > :PREROUTING ACCEPT [2547:176804] > :POSTROUTING ACCEPT [633:40896] > :OUTPUT ACCEPT [40:4518] > -A PREROUTING -d 81.45.25.50 -j DNAT --to-destination 10.94.16.50 > > -A POSTROUTING -s 10.94.16.50 -o eth0 -j SNAT --to-source 81.45.25.50 > -A POSTROUTING -s 10.94.16.50 -d 10.94.16.0/255.255.255.0 -j SNAT > --to-source 81.45.25.50 > > -A POSTROUTING -o eth0 -p ! ipv6-crypt -j SNAT --to-source 81.45.25.50 > -A OUTPUT -d 81.45.25.50 -j DNAT --to-destination 10.94.16.50 > COMMIT > # Completed on Mon Jul 11 10:58:27 2005 > > > > -----Original Message----- > > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter- > > bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Payal Rathod > > Sent: Monday, July 11, 2005 8:19 AM > > To: Netfilter ML > > Subject: dnatting > > > > Hi, > > I have a rule on my friend's broadband connection to redirect traffic > > from outside to an internal machine like, > > > > iptables -A PREROUTING -d 1.2.3.4 -p tcp -m tcp --dport 80 -j DNAT \ > > --to-destination 192.168.10.10:80 > > > > But she complained that people from inside the network cannot do > > http://1.2.3.4 in their browser and see the site. Is she correct? > > What is wrong with my rule because I can see the site from outside? > > > > Thanks in advance. > > With warm regards, > > -Payal > > > > >
