Re: iptables + PAT

From: /dev/rob0 (
Date: 01/25/04

Date: Sat, 24 Jan 2004 19:30:18 -0800

In article <buugqc$26k$04$>, Steve Vain wrote:
> iptables -t nat -A PREROUTING -i eth0 -d firewallip --dport 8080 -j
> DNAT --to-destination WebIP:80
> [snip]
> will only notice one arriving Packets but no connection works..seems to be
> loading without a result

What's in your filter rules? These packets hit the filter table,
specifically the FORWARD chain, with an IP:port destination of WebIP:80.
Is port 80/tcp accepted for WebIP? (Oh, BTW, there's no "-p tcp" in your
DNAT rule.)

Does your route table allow routing from firewallip to WebIP?

> Please can anyone help ?, and explain how the packets run really through my

I don't remember the whole scheme, but nat PREROUTING is one of the
first hit. The name refers to the routing decision, at which point the
kernel decides to send it to one of the 3 filter chains. It's all
described in the HOWTO and man page.

> If my local PC sends by webbrowser http.// firewallip:8080 -> the packet
> enters at first the Prerouting chain ?

Well I don't know. What's the route between you and firewallip? Is that
packet coming in on the firewall's eth0 interface? Not knowing your
network topology makes this rather difficult to guess.

  /dev/rob0 - preferred_email=i$((28*28+28))
  or put "not-spam" or "/dev/rob0" in Subject header to reply

Relevant Pages

  • Re: IPTables port forwarding issues
    ... and on that picture you see that the INPUT chain will filter no ... packets for targets not adressed to the filtering host. ... of NATTED packets is done in the FORWARD chain, ... identifying the relevant log entries. ...
  • Re: IPTables port forwarding issues
    ... tracking of how iptables parses its connections through the various ... You mean how the packets flow through the chains? ... is done in the FORWARD chain, ... packet filter should be found either in /var/log/messages ...
  • Re: iptables and dhcp
    ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ...
  • Re: How to set NIC to promiscuous mode from FilterHook driver
    ... So from your reply I take it you are interested in getting packets destined to other hosts -that are not necessarily originated from the host your filter is running on-. ... As I said in my previous post, setting the adapter to promiscuous mode is not going to help you. ... the filter hook driver I mentioned is as per the msdn ...
  • Re: 2.6.18 forcedeth GSO panic on send
    ... I run tcpserver ... Chain INPUT (policy ACCEPT 20 packets, ...