You don't need both a prerouting and postrouting rule to do this. However you do need a forward rule and it's easy to forget that. You only need something like this:
## Forward traffic to DMZ server iptables -t nat -A PREROUTING -i $EXTIF -p tcp -d $HTTP1 --dport 80 -j DNAT --to $HTTPDMZ1 ## Allow the traffic to be forwarded iptables -A FORWARD -m state --state NEW -i $EXTIF -p tcp -d $HTTPDMZ1 --dport 80 -j ACCEPT well, you also need to allow EST,REL traffic but you get the point. Goodluck, Matt ----- Original Message ----- From: "Ti Leggett" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, April 26, 2002 7:47 AM Subject: Re: DNAT problem > It sounds like you got bit by the same thing that bit me several months > ago. Keep in mind that *all* NAT traffic has to pass through iptables. > That means the requests from outside *and* the response from your > webserver to the outside. That means for all DNATed boxes you need to > SNAT them to the iptables box. Example: > > # Forward incoming traffic on port 80 to 192.168.1.4 > /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to > 192.168.1.4 > /sbin/iptables -t nat -A PREROUTING -p udp --dport 80 -j DNAT --to > 192.168.1.4 > > # Send outgoing responses through the iptables box > /sbin/iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -d > 192.168.1.4 -j SNAT --to-source 192.168.1.1 > > See if that helps. > > On Fri, 2002-04-26 at 04:47, Erik Schaberg wrote: > > Hi all, > > > > I have a problem with iptables and hope one of you guru's can help me. > > > > I'm using redhat 7.2 and the iptables (version 1.2.3) that came with it. > > Iptables works fine for packet filtering and SNAT but I cannot get DNAT > > working. > > > > I have two linux boxes, connected with an ethernet card to each other > > (192.168.1.0/24). One has also an adsl connection using a static > > ipaddress (x.x.x.x/32). I use the adsl machine as firewall/workstation, > > the other one is my webserver. I want to forward the http traffict from > > the internet directed to my adsl ip address to the lan webserver. But > > whatever I try, it timeouts. > > > > I read a number of iptables tutorials and FAQs, but I cannot find the > > solution. I tried different sample iptables configurations, but all have > > the DNAT problem on my system. > > To test the DNAT principle/working I added another rule to my nat table. > > This rule should redirect all http traffict from my workstation to a > > random chosen ip address 222.222.222.222 to my lan-webserver. This way I > > can test the priciple/working of DNAT without help from someone on the > > internet to connect to my box. > > This connection also timeouts. When I look at the tcpdump output on the > > ethernet interface it looks to me as if the firewall resets the > > connection while still in the 3-way handshake. > > > > This is my iptables nat configurations as shown with the command: > > iptables -t nat -L: > > (adsl-ip-address is the static ip address of the firewalls-adsl interface.) > > <====start iptables output ==========> > > Chain PREROUTING (policy ACCEPT) > > target prot opt source destination DNAT > > tcp -- anywhere adsl-ip-address tcp dpt:http state > > NEW,RELATED,ESTABLISHED to:192.168.1.2 > > DNAT tcp -- anywhere adsl-ip-address tcp dpt:http > > to:192.168.1.2:80 > > > > Chain POSTROUTING (policy ACCEPT) > > target prot opt source destination SNAT > > all -- anywhere anywhere to:adsl-ip-address > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination DNAT > > tcp -- anywhere 222.222.222.222 tcp dpt:http > > to:192.168.1.2 > > <=========== end iptables output==========> > > > > > > > > This is the output of tcpdump when I'm connecting to > > http://222.222.222.222/ from my workstation/firewall-box. (Rork-eth is > > the lan interface of the firewall/workstation (ip-addresss 192.168.1.1). > > Promethea is the lan interface (and hostname) of the webserver on the > > lan (ip-address 192.168.1.2).) > > <============ start tcp dump output=====> > > 18:26:48.765293 Rork-eth0.datametrics > Promethea.http: S > > 4139693190:4139693190(0) win 5840 <mss 1460,sackOK,timestamp 2036276 > > 0,nop,wscale 0> (DF) > > 18:26:48.765293 Promethea.http > Rork-eth0.datametrics: S > > 3529853357:3529853357(0) ack 4139693191 win 5792 <mss > > 1460,sackOK,timestamp 2524120 2034176,nop,wscale 0> (DF) > > 18:26:48.765293 Rork-eth0.1024 > Promethea.http: R > > 4139693191:4139693191(0) win 0 (DF) > > 18:26:49.165293 Promethea.http > Rork-eth0.datametrics: S > > 3529853357:3529853357(0) ack 4139693191 win 5792 <mss > > 1460,sackOK,timestamp 2524161 2034176,nop,wscale 0> (DF) > > 18:26:49.165293 Rork-eth0.1024 > Promethea.http: R > > 4139693191:4139693191(0) win 0 (DF) > > 18:27:13.365293 Promethea.http > Rork-eth0.datametrics: S > > 3529853357:3529853357(0) ack 4139693191 win 5792 <mss > > 1460,sackOK,timestamp 2526581 2034176,nop,wscale 0> (DF) > > 18:27:13.365293 Rork-eth0.1024 > Promethea.http: R > > 4139693191:4139693191(0) win 0 (DF) > > 18:27:18.365293 arp who-has Promethea tell Rork-eth0 > > 18:27:18.365293 arp reply Promethea is-at 0:60:8:72:5e:88 > > <========end tcdump output====> > > > > How can I get dnat to work properly? > > Can anybody help me? I don't know what the problem is? Is it my > > configuration? Am I missing something obvious? > > > > Thanks in advance for your help, > > > > Erik > > > > > > > > > > > > > > > > >
