Thanks Grant - I understand exactly what you mean. To solve the TCP Triangle problem I should probably add this rule (192.168.11.1 is the local machine): iptables –t nat –A POSTROUTING -p tcp --sport 80 –j SNAT –-to 192.168.11.1 Would that be correct? Thanks for your advice. Jeremy. On Fri, Oct 17, 2008 at 7:57 PM, Grant Taylor <gtaylor@xxxxxxxxxxxxxxxxx> wrote: > On 10/17/08 12:40, Jeremy Pullicino wrote: >> >> After consulting with the docs and online tutorials I came up with the >> command below: >> >> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT 192.168.11.100 >> >> Is this the correct way to do it? > > That is the first part of it. You will also need to SNAT the traffic. > >> Any advice will be really appreciated. > > Look through the archive for this mailing list, or better search it, for > what I refer to as the "TCP Triangle". > > I think the most recent thread that this was discussed had a subject of > "Different kind of transparent proxy". > > Also, you may find Jan Engelhardt's TCP Triangle image explains it well. > > http://jengelh.hopto.org/images/dnat-mistake.png > > > > Grant. . . . > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
