Thiago Ribeiro wrote:
Hello, I have any problems with DNAT iptables. I'm redirecting my external httpport to remote host. I have 8 networks, beginning with 192.168.1-8. My remote machine and destination is 192.168.5.2 and all networksexcluding 192.168.5.0/24 can navigate in this. When I'm running tcpdump or some similar to see the actions wich network 5's someone is making on external IP, is done nothing. Follow the rule: -A PREROUTING -d 200.210.101.37 -p tcp -m tcp --dport 80 -j DNAT --to 192.168.5.2:80 I'm using network 7's address and the redirecting is perfect. Only network 5 can't to do this.
It is possible the packets from 192.168.5.x are succesfully going to the router, then succesfully being DNAT redirected to 192.168.5.2, but the returning packets are getting mis directed. I have seen this happen before, and what might be happening is that 192.168.5.2 sees the source IP address in the incoming packets of 192.168.5.x, and so sends packets directly back to that machine. This means that the returning packet doesn't go back through the router, so the DNAT translation cannot be 'undone'. In the end the 192.168.5.x machine gets TCP packets from 192.168.5.2 when it was expecting them to come back from 200.210.101.37. Hence the 192.168.5.x machine rejects them, probably sending an ICMP packet back to 192.168.5.2 indicating an error. Use of a packet sniffing program will tell you if this is occuring.
Geoff Crompton