On 8/3/05, Gömöri Zoltán <suf@xxxxxxxxxxx> wrote: > Hi, > > > -----Original Message----- > > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of > > Ricardo J. Méndez > > Sent: Thursday, August 04, 2005 3:38 AM > > To: netfilter@xxxxxxxxxxxxxxxxxxx > > Subject: IP forwarding > > > > Hi, > > > > I've got a network setup where the internal router is a Linux box > > running iptables. External interface is eth0, internal eth1. I'm > > attempting to forward an external IP address (say, 1.2.3.4) to an > > internal machine. > > > > The rule I added is: > > > > iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j DNAT > > --to 192.168.1.202 > > The roule should look like this: > > iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j DNAT > --to-destination 192.168.1.202 Actually, I believe that --to is a valid unique prefix for --to-destination. The fact that it didn't flag as a syntax error supports this. The problem is that locally generated packets (from the firewall itself) to 1.2.3.4 never pass through filter.PREROUTING. Each forwarded port may need up to four rules to NAT all access. The script I use (at http://www.curby.net/doc/curbywall ) is an example of using all four, though it may be difficult to understand. The general principle but applied to the SNAT-ed network as opposed to localhost is described in http://netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html Other folks here are proponents of running a local DNS server so you don't have to do such NAT contortions. --Curby
