Hello, Kapetanakis Giannis a écrit : > > 192.168.1.0/24 is my public IP range (eth0) This IP range is private, not public. If you made it up, please use the 192.0.2.0/24 range reserved for examples and documentation instead. > 10.0.0.0/24 is my private IP range (eth1) > 192.168.1.1 public IP of server > 10.0.0.1 private IP of server > > I'd like to add the following rules in the nat table: > > [1] -A PREROUTING -i eth0 -d 192.168.1.1 -p tcp --dport 8080 -j DNAT > --to-destination 10.0.0.1:8080 > [2] -A POSTROUTING -o eth0 -s 10.0.0.1 -p tcp --sport 8080 -j SNAT > --to-source 192.168.1.1:8080 > [3] -A POSTROUTING -o eth0 -s 10.0.0.0/24 --to-source > 192.168.1.1-192.168.1.10 Rule [2] is pointless. Packets with source port 8080 are obviously replies, and Netfilter NAT implicitly takes care of reply packets packets. Actually, the 'nat' chains don't even see reply packets. > According to http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html > iptables is clever enough to avoid overlaps and clashes. > Are we sure that there isn't any chance to map a random packet (not from > the server) > to 192.168.1.1:8080 in rule [3]? No. That could happen as long as it does not create a collision with an existing mapping. Why do you worry about it ? The important point is that netfilter avoids collisions between existing NAT mappings. Rules do not create mappings by themselves, a mapping is created only for each new connection created by a packet. > I mean, does rule [2] reserve port 8080 of 192.168.1.1 ? No. NAT rules do not reserve anything. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html