Re: IPTABLES (linux 2.4) - Is the prerouting table the first to be checked?

From: Cedric Blancher (blancher@cartel-securite.fr)
Date: 05/02/02 

From: Cedric Blancher <blancher@cartel-securite.fr>
Date: Thu, 2 May 2002 13:31:53 +0000 (UTC)

Dans sa prose, Tony Kambourakis (akambour.spamfree@mbox.com.au) nous ecrivait :
> Environment: Redhat 7.2, iptables 1.2.4 on an old Pentium 133 (two NICs)
> acting as a firewall/gateway for
> small home network.
> Having trouble with the line:
> iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to
> 10.1.1.17:80
> Chain PREROUTING (policy ACCEPT 9448 packets, 1167K bytes)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 DNAT tcp -- eth0 *
> 0.0.0.0/0 0.0.0.0/ tcp dpt:80 to:10.1.1.17:80
> when trying to hit port 80 from the internet, the "pkts" column does not
> seem to increment. The "policy ACCEPT" does though.
>
> Would this rule not be the first that is checked before all other iptable
> rules?

Yes it is.

> Is my assumption that the "pkts" column will increment when there is a match
> correct?

Correct.

> Or could something more sinister be at play here? Perhaps another rule is
> getting in the way.

It seems your rule does not match any packet. Have you tried to connect
port 80 from outside ? 

-- 
BOFH excuse #301:

appears to be a Slow/Narrow SCSI-0 Interface problem