[wplug] DNAT Headaches
James O'Kane
jo2y at midnightlinux.com
Mon Jul 15 23:17:03 EDT 2002
On Mon, 15 Jul 2002, Hagbard Celine wrote:
> iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to 208.0.146.66
This looks good. You might want to consider -j MASQUERADE if you only have
one external IP address.
> iptables -t nat -A PREROUTING -p tcp --dport 80 -i ppp0 -j DNAT --to
172.16.2.2
This also seems right. What do you have in your FORWARD table?
You'll probably want something like:
iptables -A FORWARD -i ppp0 -d 172.16.2.2 -p tcp --dport 80 -j ACCEPT
The path of filters is slight more complicated, but it follows the chains
something like this (Assuming they are not for the local machine):
PREROUTING -> FORWARD -> POSTROUTING
So the packet comes in, gets DNAT'ed in PREROUTING, then FORWARD decided
if it is allowed into to be forwarded, then POSTROUTING gets a chance to
look at it.
-james
More information about the wplug
mailing list