* Jan Tammen (luser@tammen.net) [010928 11:28]: > Hello, > I'm using potato and kernel 2.4.8. I'm trying to map some ports to a > client inside my NAT-network. So far i'm using this, but it seems to > have no effect: > > iptables -t nat -A PREROUTING -p tcp -i mydevice --dport 1111 -j DNAT --to > client_ip:1111 what's 'mydevice'? I hope that's your external interface. try these lines: IPTABLES=/sbin/iptables EXT_IF=eth0 # replace this with your actual interface name EXT_IP=128.32.136.9 # replace this with your actual IP address $IPTABLES -t nat -A PREROUTING -p tcp -i $EXT_IF -d $EXT_IP \ --dport 1111 -j DNAT --to-destination 192.168.1.100 And, of course, replace the 192 address with the actual address of your dmz host. For future reference, it's a lot easier to help you if you tell us what you're _really_ doing. Some of my initial guesses as to why your line didn't work: mydevice is not an actual interface name client_ip is not resolvable -- add it to /etc/hosts I'm not trying to pick on you, but just please realize that munging always makes the problem harder to see. > ... and so on, and then: Also, say what you did! don't leave us guessing what else might have broken it during the 'and so on' stage! > iptables -A FORWARD -i mydevice -p tcp -d client_ip --dport 1111 -j ACCEPT this may be working, but you'll never know if you don't also allow reverse (outbound) traffic to return to the remote client: iptables -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -s $CLIENT_IP \ --sport 1111 -j ACCEPT or better yet, use connection tracking: iptables -m state -A FORWARD -j ACCEPT \ --state ESTABLISHED,RELATED \ -i $INT_IF -o $EXT_IF \ -s $cLIENT_IP --sport 1111 I think it's probably just that you were missing this rule to allow the return traffic. Hope that works! good times, -- Vineet http://www.anti-dmca.org Unauthorized use of this .sig may constitute violation of US law. echo Qba\'g gernq ba zr\! |tr 'a-zA-Z' 'n-za-mN-ZA-M'
Attachment:
pgpGctwYCoF2F.pgp
Description: PGP signature