On Feb 28 2007 19:12, Andrew Kraslavsky wrote: [recap > external 10.0.0.1/24 > internal 192.168.0.1/24 ] > > Thanks for the pointer but the question here is about the destination IP > address, not the source. > > When I create the DNAT rule, the private IP address to which I want my > public address to map suddenly becomes directly accessible to hosts on > the public network. Then don't add a DNAT rule. > I.e. I want hosts on the public network to _have_to_ send traffic to > the public IP of 10.0.0.1 but, after adding that rule, they can > actually send traffic to that address _AND_ also directly to the > private IP address of the Web server at 192.168.0.99. Your DNAT rule is broken: >iptables -t nat -A PREROUTING -d 10.0.0.1 -j DNAT --to-destination >192.168.0.99 You are forwarding _ALL_ traffic, _ALL_ ports. (And you can never reach the real 10.0.0.1 from the outside using 10.0.0.1.) Jan --
