В Пнд, 03/12/2007 в 13:52 +0100, Jakub Nadolny пишет: > Hi, > > I try to do simple address:port forwarding and I can not get it > working. I want to have all traffic send to some.internet.address:some_port > to be forwarded to 192.168.155.123:80. > > So I guess following rule should work fine: > iptables -t nat -A PREROUTING -p tcp -d some.internet.address --dport 1234 -j DNAT --to 192.168.155.123:80 > > But when afterthat I enter some.internet.address:1234 in firefox I can > not see webpage which is located at 192.168.155.123. It tries to connect > but there is no result. > > What could be the reason of that? Some rules in the FILTER table could block that traffic. There also routing problems may occur. You can make sure this is the case by explicitelly allowing such traffic by: iptables -I FORWARD 1 -p tcp -d 192.168.155.123 -j ACCEPT iptables -I FORWARD 2 -p tcp -s 192.168.155.123 -j ACCEPT Also if you are talking about http traffic there is one thing to know. HTTP 1.1 transmits domain part of the URL in the request which makes host-based virtual hosting possible. That means if there is a site named sometime.com and it has ip 1.2.3.4, and you redirected connections to 1.2.3.4:80 to 1.2.3.5:80 on the router, server 1.2.3.5 will get those packets, but it's www-server will see that requests are for site somesite.com and if there is no virtualhost for somesite.com and no default virtualhost www-server may show you nothing. You can see whether the packets reach the www-server by looking at the www-server logs or running tcpdump on it. -- Покотиленко Костик <casper@xxxxxxxxxxxx> - To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
