Em Dom, 2002-02-17 às 20:55, Rick Pasotto escreveu: > On Sun, Feb 17, 2002 at 03:43:25AM -0800, Jeremy T. Bouse wrote: > > On Sun, Feb 17, 2002 at 12:37:08AM -0500, Rick Pasotto wrote: > > > How do I port forward with iptables? With ipchains the command was: > > > > > > ipmasqadm portfw -a -P tcp -L $extip $port -R $intip $port > > > > What I have in my firewall rules script built with Firewall > > Builder 1.0.0 (fwbuilder) to do port forwarding is: > > > > iptables -t nat -A PREROUTING -p tcp -s <SRC_IP> -d <EXT_IP> > > --destination-port <PORT> -j DNAT --to-destination <INT_IP>:<PORT> > > > > This works very good... In fact all my machines are behind the > > firewall and only have what ports are forward'd in available... > > OK. Here is the rule I used: > > iptables -t nat -A PREROUTING -p tcp -s 64.34.82.201 -d 192.168.0.1 > --destination-port 2047 -j DNAT --to-destination 192.168.0.5:2047 > > When I activate the program on the windows box (192.168.0.5) tcpdump > reports lots of hits on eth0 port 2047 but nothing on eth1 port 2047 > and the program doesn't respond like it should. >
Your rule is for connections originating at ip 64.34.82.201 with destination to port 2047 on 192.168.0.1 which is nearly to impossible since the 192.168 is not visible to 64.34.82.201. + it seems you want to do somethin originating at 192.168.0.5 while this is the final destination of your routing. What you meant is probably any source (omit the -s) -d 64.34.82.201 (if this is the public IP of your frontend) remainder seems fine. > What am I misunderstanding? Does it matter whether the SNAT (to do > masquerading) or the DNAT rule comes first? > No PREROUTING (dnat) is always treated before POSTROUTING (snat) > Also, how do you list the nat chains? 'iptables -L' only lists the > filter chains. > iptables -L -t nat Michel. > -- > If each man has the right to defend, even by force, his person, > his liberty, and his property, several men have the right to get > together, come to an understanding, and organize a collective > force to provide regularly for this defense. > -- Frédéric Bastiat (1801-1850) > Rick Pasotto [EMAIL PROTECTED] http://www.niof.net > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >