In one of your posts you mentioned that the web server is not directly
connected to the internet. That caused me to think about it's routing
configuration... Does this server (10.30.143.1) have a route to get
back to the NAT box (10.30.142.12)? If not then your packets may be
getting NATed to the web server, but the response may not be coming back. For starters, try accessing 'http://10.30.143.1' from 10.30.142.12. If that works, then it isn't a routing problem. If that doesn't work, then no amount of tweaking of your iptables rules will help. Another possible problem that you may be having is due to how you're accessing the NATed service. Are your trying to access it from a third computer on the other side of the NAT box, or from that box itself? I know it can be tricky to get a packet originating from the NAT server itself to be properly processed by the iptables rules. You should be running your test connection to 'http://10.30.142.12' from a client machine on the 10.30.142.x subnet, not from 10.30.143.x or from the router itself. dave p. itachi@cnt.uo.edu.cu wrote: done ruter-deb:~# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT tcp -- 10.30.142.12 anywhere tcp dpt:www to:10.3 0.143.1 Chain OUTPUT (policy ACCEPT) target prot opt source destination but when from my computer i do http://10.30.142.12 nothing happends :(You're not listing out the correct iptables rules to see your nat rule. Try this: iptables -t nat -L itachi@cnt.uo.edu.cu wrote:butitachi@cnt.uo.edu.cu wrote:hello list im trying to nat some address here but nothing happeds check this rule what is wrong in there=? iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT ## Empezamos a filtrar ## Nota: eth0 es el interfaz conectado al router y eth1 a la LAN # El localhost se deja (por ejemplo conexiones locales a mysql) /sbin/iptables -A INPUT -i lo -j ACCEPT iptables -t nat -A PREROUTING --dst 10.30.142.12 -p tcp --dport 80 -j DNAT \--to-destination 10.30.143.1 echo 1 > /proc/sys/net/ipv4/ip_forwardHI You forgot the FORWARD i.e. iptables -t filter -A FORWARD --dst 10.30.142.12 -p tcp --dport 80 -J ACCEPTnow my table is whowing this Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 DROP icmp -- !10.30.142.3 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 10.30.142.12 tcp dpt:80 Chain OUTPUT (policy ACCEPT) target prot opt source destination what about 10.30.143.1 ? i thing on 10.30.143.1 is where i have running the webserver but i want open the webserver on 10.30.142.12HTH Kind Regards Brent Clark -- To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org------------------------------------------------- Luis A. Rondon Paz L I N U X .~. Admin intranet CNT The Choice /V\ icq #132736035 of a GNU /( )\ itachi@cnt.uo.edu.cu Generation ^^-^^ Santiago de cuba UONET ########### ############### #### #### - ,$$P' ### - ',$$P ,-*** ### - `d$$' ,## * ### - $$P ## * ### - $$: ## - ### - $$; ### ### - Y$$. ` ####### - `$$b "-.__ - `Y$$b - `Y$$. - `$$b. - `Y$$b. - `"Y$b._ --------------------------------------------------- To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org------------------------------------------------- Luis A. Rondon Paz L I N U X .~. Admin intranet CNT The Choice /V\ icq #132736035 of a GNU /( )\ itachi@cnt.uo.edu.cu Generation ^^-^^ Santiago de cuba UONET ########### ############### #### #### - ,$$P' ### - ',$$P ,-*** ### - `d$$' ,## * ### - $$P ## * ### - $$: ## - ### - $$; ### ### - Y$$. ` ####### - `$$b "-.__ - `Y$$b - `Y$$. - `$$b. - `Y$$b. - `"Y$b._ ------------------------------------------------- |