IP forwarding

curby . curby.public at gmail.com
Thu Aug 4 07:02:44 CEST 2005

On 8/3/05, Gömöri Zoltán <suf at freemail.hu> wrote:
> Hi,
> > -----Original Message-----
> > From: netfilter-bounces at lists.netfilter.org
> > [mailto:netfilter-bounces at lists.netfilter.org] On Behalf Of
> > Ricardo J. Méndez
> > Sent: Thursday, August 04, 2005 3:38 AM
> > To: netfilter at lists.netfilter.org
> > Subject: IP forwarding
> >
> > Hi,
> >
> > I've got a network setup where the internal router is a Linux box
> > running iptables.  External interface is eth0, internal eth1.  I'm
> > attempting to forward an external IP address (say, to an
> > internal machine.
> >
> > The rule I added is:
> >
> > iptables -t nat -A PREROUTING -d -p tcp --dport 80 -j DNAT
> > --to
> The roule should look like this:
> iptables -t nat -A PREROUTING -d -p tcp --dport 80 -j DNAT
> --to-destination

Actually, I believe that --to is a valid unique prefix for
--to-destination.  The fact that it didn't flag as a syntax error
supports this.

The problem is that locally generated packets (from the firewall
itself) to never pass through filter.PREROUTING.  Each
forwarded port may need up to four rules to NAT all access.  The
script I use (at http://www.curby.net/doc/curbywall ) is an example of
using all four, though it may be difficult to understand.  The general
principle but applied to the SNAT-ed network as opposed to localhost 
is described in


Other folks here are proponents of running a local DNS server so you
don't have to do such NAT contortions.


More information about the netfilter mailing list