dnatting

Gary W. Smith gary at primeexalia.com
Tue Jul 12 16:05:32 CEST 2005


Not sure.  Multiple people keep telling me this isn't necessary but I
found that if I don't use these entries then accesses from other local
machines on the same network become unreliable.  Adding the extra line
solves that problem.



> -----Original Message-----
> From: Payal Rathod [mailto:payal-netfilter at scriptkitchen.com]
> Sent: Tuesday, July 12, 2005 12:34 AM
> To: Gary W. Smith
> Cc: Netfilter ML
> Subject: Re: dnatting
> 
> On Mon, Jul 11, 2005 at 12:09:44PM -0700, Gary W. Smith wrote:
> > Payal,
> >
> > You need to add a second simple entry:
> [...]
> 
> Thanks this solved it. Thanks again.
> Now I am curious why Jason didn't suggest this.
> 
> With warm regards,
> -Payal
> 
> >
> > Look at the entries below.  I'm mapping an entire IP but this would
be
> > simple to just to a single port.  The second POSTROUTING line is
what
> > made everything work for my typical firewalls.
> >
> > # Completed on Mon Jul 11 10:58:27 2005
> > # Generated by iptables-save v1.2.11 on Mon Jul 11 10:58:27 2005
> > *nat
> > :PREROUTING ACCEPT [2547:176804]
> > :POSTROUTING ACCEPT [633:40896]
> > :OUTPUT ACCEPT [40:4518]
> > -A PREROUTING -d 81.45.25.50 -j DNAT --to-destination 10.94.16.50
> >
> > -A POSTROUTING -s 10.94.16.50 -o eth0 -j SNAT --to-source
81.45.25.50
> > -A POSTROUTING -s 10.94.16.50 -d 10.94.16.0/255.255.255.0 -j SNAT
> > --to-source 81.45.25.50
> >
> > -A POSTROUTING -o eth0 -p ! ipv6-crypt -j SNAT --to-source
81.45.25.50
> > -A OUTPUT -d 81.45.25.50 -j DNAT --to-destination 10.94.16.50
> > COMMIT
> > # Completed on Mon Jul 11 10:58:27 2005
> >
> >
> > > -----Original Message-----
> > > From: netfilter-bounces at lists.netfilter.org [mailto:netfilter-
> > > bounces at lists.netfilter.org] On Behalf Of Payal Rathod
> > > Sent: Monday, July 11, 2005 8:19 AM
> > > To: Netfilter ML
> > > Subject: dnatting
> > >
> > > Hi,
> > > I have a rule on my friend's broadband connection to redirect
traffic
> > > from outside to an internal machine like,
> > >
> > > iptables -A PREROUTING -d 1.2.3.4 -p tcp -m tcp --dport 80 -j DNAT
\
> > > --to-destination 192.168.10.10:80
> > >
> > > But she complained that people from inside the network cannot do
> > > http://1.2.3.4 in their browser and see the site. Is she correct?
> > > What is wrong with my rule because I can see the site from
outside?
> > >
> > > Thanks in advance.
> > > With warm regards,
> > > -Payal
> > >
> > >
> >



More information about the netfilter mailing list