On Thursday 2010-12-02 03:35, Landy Landy wrote: >Hello. > >Can someone please tell me why I cannot access a machine inside my LAN from outside? These are my rules to try to accomplish that task: > >$iptables -t nat -A PREROUTING -i $EXT_IFACE -p tcp \ > -s $UNIVERSE --sport $UNPRIVPORTS -d $EXT_IP --dport 22 \ > -j DNAT --to-destination 172.16.0.200:22 > >$iptables -A FORWARD -i $EXT_IFACE -o $LAN_IFACE -p tcp \ > -s $UNIVERSE --sport $UNPRIVPORTS -d 172.16.0.200 --dport 22 \ > -m state --state NEW -j ACCEPT > >$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > >What am I doing wrong? > >When I try to ssh from outside our network I can see it gets to the prerouting but, nothing gets forwared: > >Chain PREROUTING (policy ACCEPT 1223 packets, 93798 bytes) > pkts bytes target prot opt in out source destination > 374 19224 REDIRECT tcp -- eth0 * 172.16.0.0/16 0.0.0.0/0 tcp spts:1024:65535 dpt:80 redir ports 3128 > 0 0 REDIRECT tcp -- eth0 * 172.16.0.0/16 172.16.0.1 tcp spts:1024:65535 dpt:8080 redir ports 80 > 0 0 REDIRECT tcp -- eth1 * 0.0.0.0/0 190.80.4.42 tcp spts:1024:65535 dpt:8080 redir ports 80 > 3 180 DNAT tcp -- eth1 * 0.0.0.0/0 190.80.4.42 tcp spts:1024:65535 dpt:22 to:172.16.0.200:22 This spts thing. It's redundant and does not protect anything. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
