On Mon, 2009-07-13 at 16:14 +0200, Thomas Jacob wrote: > You need DNAT+SNAT for this: > > # Redirect to IP:Port > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10025 \ > -j DNAT --to-destination 172.20.1.254:25 > > # Ensure that the replies come back to us > iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 25 \ > -d 172.20.1.254 -j SNAT --to-source 172.20.1.245 Hi Thomas! I tried these rules but it seems that packets to not pass the first rule. To test this I put two LOG targets before and after the PREROUTING rule like this: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10025 -j LOG --log-tcp-options --log-prefix PREROUTING_before: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10025 -j DNAT --to-destination 172.20.1.254:25 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j LOG --log-tcp-options --log-prefix PREROUTING_after: iptables -t nat -A POSTROUTING -o eth0 -p tcp -d 172.20.1.254 --dport 25 -j SNAT --to-source 172.20.1.245 As a result I received in the log three messages with "PREROUTING_before" -- these were SYN packets. And no message with "PREROUTING_after" :-( What could be wrong ? Regards, Simion. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
