EtherMage wrote: >>2. You ACCEPT the packets on your input chain first (meaning they go to >>the local box, and are routed per the routing table) and THEN you do >>DNAT. By the tiem you reach DNAT, all the port 80 bound packets have >>already been ACCEPTed by the INPUT chaing. Put the DNAT rules first >>(remember the ASCII art flow chart? prerouting, then input). >> > >Not true. DNAT is done in PREROUTING, which comes before INPUT. You need >to review that ASCII chart you mentioned. THEN, if the DNATted packet says >go to an IP owned by the firewall, the connection has to pass through the >INPUT chain. Otherwise, it'll go thru the FORWARD chain, and it will have >to pass _those_ filters - that's where you have to open port 80 for the DNAT >to work properly. >
Perhaps this is my misunderstanding, but I thought that rules are processed in the order in which they are written. Then again, thinking it over, that does not make much sense. I always define my rules in the prerouting - input -forward - output - postrouting sequence, so I guess I found the rules as written confusing. My bad. > > >-EtherMage > >OT PS: PLEASE, PLEASE, use a spell checker or at least look over your post >for typos before sending, it makes things so much easier to read. > Hey, at least I tried to help, eh? ;-) --Yan
