adding -m state --state NEW,ESTABLISHED seems to do the trick. iptables -t nat -A PREROUTING -i eth1 -p tcp -d 10.4.38.182 --dport 2300 -m state --state NEW,ESTABLISHED -j DN AT --to 192.168.10.2:2300 Thanks a lot for guiding. On Fri, Jun 27, 2014 at 1:08 PM, Vijay Viswanathan <vijay.vishy@xxxxxxxxx> wrote: > good point. > The container is able to ping other machines in the network > # traceroute 10.4.38.222 > traceroute to 10.4.38.222 (10.4.38.222), 30 hops max, 38 byte packets > 1 192.168.10.1 (192.168.10.1) 0.047 ms 0.023 ms 0.019 ms > 2 10.4.38.222 (10.4.38.222) 0.439 ms 0.393 ms 0.320 ms > # > > also : > The container is able to ping the host > > # traceroute 10.4.38.182 > traceroute to 10.4.38.182 (10.4.38.182), 30 hops max, 38 byte packets > 1 10.4.38.182 (10.4.38.182) 0.052 ms 0.023 ms 0.018 ms > > and vice versa ( from host to container ) : > # traceroute 192.168.10.2 > traceroute to 192.168.10.2 (192.168.10.2), 30 hops max, 38 byte packets > 1 192.168.10.2 (192.168.10.2) 0.050 ms 0.032 ms 0.026 ms > > > From host -- > > # iptables-save > # Generated by iptables-save v1.4.21 on Thu Jan 1 02:34:10 1970 > *nat > :PREROUTING ACCEPT [1:142] > :INPUT ACCEPT [1:142] > :OUTPUT ACCEPT [0:0] > :POSTROUTING ACCEPT [0:0] > -A PREROUTING -d 10.4.38.182/32 -i eth1 -p tcp -m tcp --dport 2300 -j > DNAT --to-destination 192.168.10.2:2300 > -A POSTROUTING -s 192.168.10.0/24 -o eth1 -j MASQUERADE > COMMIT > # Completed on Thu Jan 1 02:34:10 1970 > # Generated by iptables-save v1.4.21 on Thu Jan 1 02:34:10 1970 > *mangle > :PREROUTING ACCEPT [19518:3047480] > :INPUT ACCEPT [18424:2795220] > :FORWARD ACCEPT [476:70846] > :OUTPUT ACCEPT [3080:241144] > :POSTROUTING ACCEPT [3556:311990] > COMMIT > # Completed on Thu Jan 1 02:34:10 1970 > # Generated by iptables-save v1.4.21 on Thu Jan 1 02:34:10 1970 > *filter > :INPUT ACCEPT [60:3920] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [36:2555] > COMMIT > # Completed on Thu Jan 1 02:34:10 1970 > > From container ----------- > > # iptables-save > # Generated by iptables-save v1.4.21 on Thu Jan 1 02:35:19 1970 > *nat > :PREROUTING ACCEPT [16:918] > :INPUT ACCEPT [16:918] > :OUTPUT ACCEPT [0:0] > :POSTROUTING ACCEPT [0:0] > COMMIT > # Completed on Thu Jan 1 02:35:19 1970 > # Generated by iptables-save v1.4.21 on Thu Jan 1 02:35:19 1970 > *mangle > :PREROUTING ACCEPT [72:4292] > :INPUT ACCEPT [72:4292] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [16:1012] > :POSTROUTING ACCEPT [16:1012] > COMMIT > # Completed on Thu Jan 1 02:35:19 1970 > # Generated by iptables-save v1.4.21 on Thu Jan 1 02:35:19 1970 > *filter > :INPUT ACCEPT [72:4292] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [16:1012] > COMMIT > # Completed on Thu Jan 1 02:35:19 1970 > > > > Thanks a lot > > On Fri, Jun 27, 2014 at 12:18 PM, Pascal Hambourg > <pascal@xxxxxxxxxxxxxxx> wrote: >> Vijay Viswanathan a écrit : >>> I did that but still not working. the telnet [telnet 10.4.38.182 2300] >>> command is stuck for a long time >>> >>> # iptables -t nat --list >> >> Please use iptables-save instead. The output is much easier to read. >> >>> # route >> >> Can you provide the output of the same commands run in the container ? >> Can the container connect to or ping some external host ? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
