Can anyone tell me how to do this?

Jason Opperisano opie at
Thu Sep 23 19:48:08 CEST 2004

On Thu, 2004-09-23 at 13:28, Dominic Iadicicco wrote:
> it didn't work
>   Thank you for the input though. 
> Dom

hmmm...i never got Samuel's response...

a good learning exercise for you would be to figure out why it doesn't

> --- Samuel Daz Garca (ArcosCom)
> <samueldg at> wrote:

[ snip]

> > $> iptables -t filter -A INPUT -i eth1 -d
> > -m tcp -p tcp --dport
> > 22 -j ACCEPT

this allows connections to pass an INPUT filter rule with destination IP and destination port 22 (TCP).

that wasn't really what you were asking for, but may be of some use to
you in another situation...

> > $> iptables -t nat -A PREROUTING -i eth1 -d
> > -m tcp -p tcp --dport
> > 22 -j DNAT --to-destination

think about what the word PREROUTING means.  it means that before this
linux host every makes any layer 3 decision about this packet at
all--we're going to modify it.  once this rule is applied--the linux
host will never ever see a packet that has a destination IP of
in the context of this connection.  the destination IP is  as such, any filter rules applied later in the stack
will have to accommodate, not

if you're using this as a learning experience (and i hope this is on a
test machine); i recommend LOG-ing everything you can, break things at
will, figure out why they broke, and how to fix them.

and i never get tired of pimping this:



Jason Opperisano <opie at>

More information about the netfilter mailing list