Am Tuesday, den 8 May hub Bas Verhoeven folgendes in die Tasten: Hi! > We're having some problems with iptables, have been playing ~3 hours > with this and I need some advice. > We want to 'forward' port 80 from one ip to another ip (other server) - > mainly to protect the webserver. One could say that you could use basic > portforwarding for this, but as far as i know this also breaks the > source ip for apache logs, etc. So we decided that we needed NAT'ing. [...] > OUTBOUND SERVER: > iptables -t nat -A PREROUTING -p tcp --dport 80 -d <ext_web_ip> -j DNAT > --to-destination <webserver_ip>:80 That´s fine. This will also make netfilter care of answer packages. > Note: We didn't touch this as it seems to works fine. > > WEBSERVER: [...] There are no NAT rules needed here. All you have to accomplish is that the answer packages from WEBSERVER to $client are routed via OUTBOUND SERVER. I guess that´s just true by the network architecture. e.g. client network / inet <---> OUTBOUND SERVER <-> WEBSERVER HTH Ciao Max -- Follow the white penguin.
