Re: DNAT

To: Matthew Palmer <mpalmer@debian.org>, Debian Firewall <debian-firewall@lists.debian.org>
Subject: Re: DNAT
From: Erik Meusel <erik.meusel@web.de>
Date: Sun, 7 Mar 2004 11:24:01 +0100
Message-id: <[🔎] 200403071124.15395.erik.meusel@web.de>
In-reply-to: <[🔎] 20040307042926.GA3272@hezmatt.org>
References: <[🔎] NEBBLIHNGLCBFOKECLHAGEMGCEAA.sauglatt@gmx.ch> <[🔎] 20040307042926.GA3272@hezmatt.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> > I made this rule for portforwarding:
> >
> > 	(1)	iptables -t nat -I PREROUTING -i $ext_if -p tcp --dport
> > $port -j DNAT --to $local_ip:$local_port
> >
> > But a client connection from outside on that specified service port
> > couldn't be established. iptables -vL shows me not a single packet has
> > hit that rule and therefore didn't pass through the FORWARD chain which
> > of course has to be set to ACCEPT by default or in my case when DROP is
> > default another rule like
> >
> > 	(2)	iptables -I FORWARD -i $ext_if -o $int_if -p tcp --dport
> > $port -j ACCEPT

> > Anyone having an advice?
Have you tried adding an SNAT rule?

(3)	iptables -t nat -I POSTROUTING -o $int_if -p tcp --dport $port -j SNAT 
- --to-source $ext_ip


works pretty well for me.


lg
Erik
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFASvhKjImXy7oAgJkRAqKcAJ96UyYhRZwiY5I2HiYG1pd6/nK4nQCfaYN+
g4c1aSwYjGajn1ry2s5OPYA=
=kbTm
-----END PGP SIGNATURE-----

Reply to:

References:
- DNAT
  - From: "D. Benz" <sauglatt@gmx.ch>
- Re: DNAT
  - From: Matthew Palmer <mpalmer@debian.org>

Prev by Date: Re: DNAT
Next by Date: unsubscribe
Previous by thread: Re: DNAT
Next by thread: help needed urgently with hostlookup failure ..please
Index(es):
- Date
- Thread