Re: DNAT

To: Debian Firewall <debian-firewall@lists.debian.org>
Subject: Re: DNAT
From: Matthew Palmer <mpalmer@debian.org>
Date: Sun, 7 Mar 2004 15:29:26 +1100
Message-id: <[🔎] 20040307042926.GA3272@hezmatt.org>
Mail-followup-to: Debian Firewall <debian-firewall@lists.debian.org>
In-reply-to: <[🔎] NEBBLIHNGLCBFOKECLHAGEMGCEAA.sauglatt@gmx.ch>
References: <[🔎] NEBBLIHNGLCBFOKECLHAGEMGCEAA.sauglatt@gmx.ch>

On Sun, Mar 07, 2004 at 05:22:00AM +0100, D. Benz wrote:
> I made this rule for portforwarding:
> 
> 	(1)	iptables -t nat -I PREROUTING -i $ext_if -p tcp --dport
> $port -j DNAT --to $local_ip:$local_port
> 
> But a client connection from outside on that specified service port couldn't
> be established. iptables -vL shows me not a single packet has hit that rule
> and therefore didn't pass through the FORWARD chain which of course has to
> be set to ACCEPT by default or in my case when DROP is default another rule
> like
> 
> 	(2)	iptables -I FORWARD -i $ext_if -o $int_if -p tcp --dport
> $port -j ACCEPT
> 
> is needed.
> 
> ip_forward is enabled. 
> 
> Anyone having an advice?

You also need iptables -I INPUT <etc> if you've got a destructive policy or
late rule.  And, from memory, you don't need the FORWARD rule, as the NAT
table bypasses it (as I say, from memory, if it doesn't work without it,
obviously I need to recache that info).

- Matt

Reply to:

Follow-Ups:
- Re: DNAT
  - From: Erik Meusel <erik.meusel@web.de>

References:
- DNAT
  - From: "D. Benz" <sauglatt@gmx.ch>

Prev by Date: DNAT
Next by Date: Re: DNAT
Previous by thread: DNAT
Next by thread: Re: DNAT
Index(es):
- Date
- Thread