Umm - I do it by specifying the --dport in PREROUTING: iptables -t nat -A PREROUTING -p tcp -d X.X.X.X --dport 80 -j DNAT --to 192.1 68.101.10
Where X.X.X.X is my public.... I also need to have a FORWARD rule to the .10 address...don't forget that the Server's DG (default Gateway) needs to be the iptables box... > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Ben > Sent: Tuesday, July 02, 2002 3:35 PM > To: NetFilter > Subject: simple nat question > > > I've got a basic nat setup: > > internet > | > +====+=====+ eth0: 1.2.3.4 > | firewall | > +====+=====+ eth1: 10.0.0.1 > | > +====+=====+ eth0: 10.0.0.2 > | server | > +==========+ > > > What I would like is for packets coming from the server > (10.0.0.2) to get SNAT'd to the firewall's IP address, > 1.2.3.4. It seems easy enough to do: > > iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.2 -j SNAT > --to 1.2.3.4 > > But now I don't see how return packets are going to make it > back to my server, because the firewall is going to think > they are destined for it. If I add the rule: > > iptables -t nat -A PREROUTING -d 1.2.3.4 -i ! eth0 -j DNAT > --to 10.0.0.2 > > Then it seems I loose the ability for the firewall to run > anything accessable to the outside world, like ssh. > >
