Hello, Mauricio Tavares a écrit : > Let's say I have server1 with two ports, eth0 and eth0, and server2 Did you mean "eth0 and eth1" ? > whose eth0 port is connected to server1's eth1. And let's say the subnet > between them is 192.168.1.0/24 while the one server1's eth0 is connected > to is 192.168.4.0/24. > > I have the following rules to forward port 6969 coming on eth0 on > server1 to port 6969 on server2's eth0: > > iptables -A PREROUTING -t nat -p tcp --dport 6969 -j DNAT --to > 192.168.1.server2:6969 > iptables -A INPUT -d 192.168.4.server1 -p tcp -m tcp -m state --state > NEW --dport 6969 -j ACCEPT This rule in INPUT is pointless because 1) packets have already been DNATed by the previous rule in PREROUTING, 2) the new destination is a remote address, so packets go through FORWARD, not INPUT. > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > Any machine in 192.168.4.0/24 seems to be able to get to server2 by > using 192.168.1.server1:6969. But, if I try to connect to > 192.168.1.server1:6969 on server1 itself, I will not be forwarded to > server2. What am I missing here? As Jan explained, the PREROUTING chain of the 'nat' table sees only incoming packets received from outside. DNAT for locally generated packets must be done in the OUTPUT chain. PS : If you want the connection to work from server2 too, you must add a specific MASQUERADE/SNAT for it too in POSTROUTING. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
