I am trying to set up net filter so that. anyone on the Internet, connects to port 80 (http) on eth0 on ip 212.xxx.xxx.44. The request is transparantly forwarded out on eth1 to ip 212.xxx.xxx.43 on port 80 (a second machine) As I understand It this can be done with DNAT. Is this correct? if so, should the following work. (modules iptable and iptable_nat are loaded (among other) so. # turn on forwarding (seems to set the value ok) echo "1" > /proc/sys/net/ipv4/ip_forward #add the prerout chain (is this necessary, it does not show up as standard) iptables -N PREROUTING # Set the default policies iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -t nat -P PREROUTING DROP #set ping to work. iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT #Set the forward iptables -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 212.219.204.43 I have tried a few combinations of the above, the chain appears and looks ok but when i try to connect it just times out. my routing is ok as I can ping the machines ok. Anyone got any ideas? Rob.
