Re: DNAT
On Sun, Mar 07, 2004 at 05:22:00AM +0100, D. Benz wrote:
> I made this rule for portforwarding:
>
> (1) iptables -t nat -I PREROUTING -i $ext_if -p tcp --dport
> $port -j DNAT --to $local_ip:$local_port
>
> But a client connection from outside on that specified service port couldn't
> be established. iptables -vL shows me not a single packet has hit that rule
> and therefore didn't pass through the FORWARD chain which of course has to
> be set to ACCEPT by default or in my case when DROP is default another rule
> like
>
> (2) iptables -I FORWARD -i $ext_if -o $int_if -p tcp --dport
> $port -j ACCEPT
>
> is needed.
>
> ip_forward is enabled.
>
> Anyone having an advice?
You also need iptables -I INPUT <etc> if you've got a destructive policy or
late rule. And, from memory, you don't need the FORWARD rule, as the NAT
table bypasses it (as I say, from memory, if it doesn't work without it,
obviously I need to recache that info).
- Matt
Reply to:
- Follow-Ups:
- Re: DNAT
- From: Erik Meusel <erik.meusel@web.de>
- References:
- DNAT
- From: "D. Benz" <sauglatt@gmx.ch>