Hello,
Grant Taylor a écrit :
On 06/16/08 14:41, Artem Y. Pervin wrote:
I want to do a simple thing. I want some port of the external
interface to redirect TCP traffic to the private network.
So, I have the following rule sequence:
# Port forwarding
iptables -t nat -I PREROUTING -i $EXTIF -p tcp --dport 30099 -j DNAT
--to 192.168.10.119:22
iptables -t nat -I PREROUTING -i lo -p tcp --dport 30099 -j DNAT --to
192.168.10.119:22
At a quick glance your rules seem to be ok.
I beg to differ. AFAIK packets routed through the loopback interface
don't go through the nat/PREROUTING chain, so the latter rule will never
match any packet. My understanding is that only packets creating a new
yet unconfirmed connection go through the nat chains, and the connection
is confirmed right after the POSTROUTING chains, before the packet is
looped back into the PREROUTING chains. I have the feeling that
conntrack and NAT on loopback is somehow dodgy.
So the rule must be added to the OUTPUT chain :
iptables -t nat -I OUTPUT -o lo -p tcp --dport 30099 -j DNAT --to
192.168.10.119:22
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
