Martijn, The sciprt idea sounds quite clever and efficient! I would be very interested to see your method by script, if it is not a security risk, etc. Thank you very much for your response and idea. Mike On 10/20/06, Martijn Lievaart <m@xxxxxxx> wrote:
<citaat van="Mike"> > I'm having difficulty with clients connecting to a game I'm hosting > over the internet. > So I'm wondering if my PREROUTING rule is conflicting with my FORWARD > rule. > > If I have these prerouting rules: > > $IPTABLES -t nat -A PREROUTING -p tcp --dport 34297 -i ppp0 -j DNAT > --to-destination 192.168.170.6 > $IPTABLES -t nat -A PREROUTING -p udp --dport 34297 -i ppp0 -j DNAT > --to-destination 192.168.170.6 > $IPTABLES -t nat -A PREROUTING -p tcp --dport 34397 -i ppp0 -j DNAT > --to-destination 192.168.170.6 > $IPTABLES -t nat -A PREROUTING -p udp --dport 34397 -i ppp0 -j DNAT > --to-destination 192.168.170.6 > $IPTABLES -t nat -A PREROUTING -p tcp --dport 34447 -i ppp0 -j DNAT > --to-destination 192.168.170.6 > $IPTABLES -t nat -A PREROUTING -p udp --dport 34447 -i ppp0 -j DNAT > --to-destination 192.168.170.6 > > Then I should not have to worry about these FORWARD rules interfering > with the prerouted data getting to the server at 192.168.170.6 --- > > $IPTABLES -t filter -A FORWARD -i ppp0 -o eth1 -m state --state > ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -t filter -A FORWARD -i ppp0 -o eth2 -m state --state > ESTABLISHED,RELATED -j ACCEPT > > Am I right or wrong? > If wrong, is the only way then to change the FORWARD rule to -j ACCEPT > and leave out the ESTABLISHED,RELATED requirement? ` You have to ACCEPT these packets in your forward chain. What I generally do (but I generate this with a script) is to duplicate the rules in PREROUTING, once with -j MARK and once with -j DNAT, In FORWARD I then use --mark to accept those DNATted connections all in one rule. HTH, M4
