[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Can't get DNAT to port forward SSH

On Wed, Jul 04, 2001 at 12:40:16AM -0500, S . Salman Ahmed wrote:
> Still no go. I added the following rules to my earlier firewall setup:
> 
> iptables -t nat -A PREROUTING -i eth0 -s SomeIpAddress \
> 	 -p tcp -d MyIpAddress --dport 22 \
> 	 -j DNAT --to 192.168.1.2   
> 
> iptables -A FORWARD -i eth0 -s SomeIpAddress \
> 	 -p tcp --dport 22 -j ACCEPT

Please refer to my first reply in this thread, I have copied the
significant portion below.

Even if you add the rule you show above, its placement in the ruleset is
important.  If it comes _after_ the rule I mention below, it's not going
to do any good because the first one to match the packet is going to be
the only one that matters.


On Tue, Jul 03, 2001 at 06:34:33AM +0000, Jim Breton wrote:
> > $IPTABLES -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
> 
> Only looked at your rule set briefly but I think that is the line that
> is killing you.

-- 

Jim B.
vader@conflict.net
Reply to: