Hello Mart, Thanks for the guide. It now works. -khairul On Mon, Apr 13, 2009 at 1:05 PM, Mart Frauenlob <mart.frauenlob@xxxxxxxxx> wrote: > no doubt wrote: >> >> Hi, >> >> Currently Im running a gw firewall for internal soho network. >> >> I would like to achieve that for all IP's in 192.168.4.0/24 that are >> accessing outside internet address port 80, will be directed to >> 192.168.3.10 port 80 EXCEPT for few IPs namely 192.168.4.10, >> 192.168.4.100 and 192.168.4.20 >> >> my rules in nat filter read like this. >> *nat >> :PREROUTING ACCEPT [4314:569235] >> :POSTROUTING ACCEPT [42:12421] >> :OUTPUT ACCEPT [2807:264498] >> >> iptables -A PREROUTING -s ! 192.168.4.10/32 -d ! 192.168.0.0/16 -i >> eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.3.10 >> iptables -A PREROUTING -s ! 192.168.4.20/32 -d ! 192.168.0.0/16 -i >> eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.3.10 >> iptables -A PREROUTING -s ! 192.168.4.100/32 -d ! 192.168.0.0/16 -i >> eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.3.10 >> >> -A POSTROUTING -o ppp+ -j MASQUERADE >> COMMIT >> >> somehoe it doesnt work. but if I left only 1st line, it works. >> >> is there anything i can modify the rules ? >> > > try this: > > iptables -t nat -N my_dnat > iptables -t nat -A PREROUTING -i eth2 -s 192.168.4.10 -p tcp --dport 80 -j > my_dnat > [...] > > iptables -t nat -A my_dnat -j DNAT --to-destination 192.168.3.10 > > -A POSTROUTING -o ppp+ -j MASQUERADE > > > > greets > > Mart > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
