ok i just saw that the little "diagram" I sent on OP had been moved about when sent, so resending the interface information just in case. A: 10.0.1.200 B : eth0 10.0.1.192, eth1 10.0.10.2 C : eth0 10.0.10.1 A and B are on the same subnet and B and C are on another subnet. The idea is to open the browser in A type 10.0.1.192 and get the web server that is on C. I did what you suggested Mr Taylor, and still does not work. iptables -L lists this : Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere Macintosh.local tcp dpt:www ACCEPT tcp -- Macintosh.local anywhere tcp spt:www Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ssh (0 references) thank you again Charles On Tue, Jul 8, 2008 at 6:03 PM, Charles Romestant <cromestant@xxxxxxxxx> wrote: > by the way, from B i can see the server on C, so it is not a NIC problem. > > thanks again. > > charles > > On Tue, Jul 8, 2008 at 6:02 PM, Charles Romestant <cromestant@xxxxxxxxx> wrote: >> thanks for answer >> >> hmm tried it and still does not work... >> >> any ideas, at least to get some debug info... still can t see the >> server from a browser on A. >> >> >> On Tue, Jul 8, 2008 at 5:40 PM, Grant Taylor <gtaylor@xxxxxxxxxxxxxxxxx> wrote: >>> On 07/07/08 16:49, Charles Romestant wrote: >>>> >>>> on C there is a web server, running on port 80, I want to be able to >>>> access it through B from A. >>>> >>>> So basically the ruleset should be on B if its port 80, forward to port 80 >>>> on C. >>> >>> These two rules should do the trick to get the traffic forwarded on through >>> B to C. >>> >>> iptables -t nat -A PREROUTING -i eth0 -d 10.0.1.192 -p tcp --dport 80 -j >>> DNAT --to-destination 10.0.10.1 >>> iptables -t filter -A FORWARD -i eth0 -o eth1 -d 10.0.10.1 -p tcp --dport 80 >>> -j ACCEPT >>> >>> You will need to make sure that the reply traffic back from C is allowed and >>> appears to be from B. >>> >>> iptables -t filter -A FORWARD -i eth1 -o eth0 -s 10.0.10.1 -p tcp --sport 80 >>> -j ACCEPT >>> iptables -t nat -A POSTROUTING -o eth0 -s 10.0.10.1 -p tcp --sport 80 -j >>> SNAT --to-source 10.0.1.192 >>> >>>> Any help would be appreciated, thank you in advance, >>> >>> You are welcome. >>> >>> >>> >>> Grant. . . . >>> -- >>> To unsubscribe from this list: send the line "unsubscribe netfilter" in >>> the body of a message to majordomo@xxxxxxxxxxxxxxx >>> More majordomo info at http://vger.kernel.org/majordomo-info.html >>> >> >> >> >> -- >> Charz >> > > > > -- > Charz > -- Charz -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
