On Wed, 2007-03-07 at 16:24 +0100, Joe Hart wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Giacomo Montagner wrote: > > On 3/3/07, John L Fjellstad <john-debian@fjellstad.org> wrote: > >> Johnno <valentine@xtra.co.nz> writes: > >> > >> > Hello > >> > > >> > Need a little bit of help here... eth1 = Internet, eth0 = LAN, will > >> > this work? > >> > > >> > iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to > >> > 192.168.1.50:80 > >> > iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth1 -j > >> ACCEPT Hi! I worked it out... I googled around a little, and found this: http://www.debian-administration.org/articles/73 I tried with a virtual machine, my pc and another machine, let me point out the situation: 10.0.0.0 "internet" (of course this is only another dmz) 192.168.0.0 "dmz" http server: 192.168.0.80:80 gateway (my pc): 192.168.0.1 on the dmz (eth0) 10.0.0.10 on "the internet" (eth1) First: echo 1 > /proc/sys/net/ipv4/ip_forward Second: http server must use 192.168.0.1 as default gateway Third: iptables -t nat -I PREROUTING -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 80 -i eth1 -j DNAT --to-destination 192.168.0.80 Once the packets get modified by the PREROUTING chain, they get into FORWARD chain: iptables -I FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT (of course if you have an ACCEPT FORWARD policy this is not needed) I tried also this: iptables -I FORWARD -m state --state NEW,ESTABLISHED,RELATED -d 192.168.0.80 -j ACCEPT but I also had to specify: iptables -I FORWARD -m state --state NEW,ESTABLISHED,RELATED -s 192.168.0.80 -j ACCEPT or the connection failed. Hope this helps. Bye! Giacomo
Attachment:
signature.asc
Description: This is a digitally signed message part