Hello,
Martijn Lievaart a écrit :
<citaat van="Jakub Nadolny">
I try to do simple address:port forwarding and I can not get it
working. I want to have all traffic send to
some.internet.address:some_port to be forwarded to 192.168.155.123:80.
So I guess following rule should work fine:
iptables -t nat -A PREROUTING -p tcp -d some.internet.address --dport 1234
-j DNAT --to 192.168.155.123:80
But when afterthat I enter some.internet.address:1234 in firefox I can
not see webpage which is located at 192.168.155.123. It tries to connect
but there is no result.
What could be the reason of that?
If you are doing this from the same network the webserver is on, this will
not work. The return traffic is going straight back to the client instead
of being 'Natted-back' by the firewall.
That's when the DNAT is done on a router and the browser and the server
are on the same side of the router. The workaround is to SNAT the
DNAT-ed connection in the POSTROUTING chain as it is forwarded back to
the LAN. Take care to SNAT only connections from the local network, not
those from the internet because it hides the original source address.
If you are not doing the port forwarding on a router but on the box the
web browser is running on, the DNAT must be done in the OUTPUT chain
instead of PREROUTING.
-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
