Hi Lajos, That's a good explanation. I got the point :-) Thanks & Regards, Gopinath.U On 5/30/07, Gáspár Lajos <swifty@xxxxxxxxxxx> wrote:
Gopinath írta: > Thank your very much Lajos !!!!!!!!!!!!!!! > > It is working fine now after adding the line "-m conntrack --ctstate > DNAT" in the ACCEPT statement of the FORWARD chain as you've said in > previous mail. > > Could you please explain how it works after adding the line "-m > conntrack --ctstate DNAT" in the ACCEPT stmt of FORWARD chain ? I'm > very eager to know this :-) > Okay... :D I have attached an image that shows the route of the packet. In the PREROUTING nat table the destination address gets DNATed IF the client wants to talk to the EXTERNAL address. But if the INTERNAL address is used at a new connection then this rule does not get hit !!! (No DNAT!!!) In the FORWARD filter table you were accepting EVERY connection that has an INTERNAL destination address. If you use the conntrack module then ONLY the DNATed packets gets accepted!!! > Regards, > Gopinath.U > > > I have also upgraded my iptables to version 1.3.7 Good to hear... :D Swifty
