From mboxrd@z Thu Jan 1 00:00:00 1970 From: Payal Rathod Subject: Re: dnatting Date: Tue, 12 Jul 2005 03:34:07 -0400 Message-ID: <20050712073407.GA30567@tranquility.scriptkitchen.com> References: <57F9959B46E0FA4D8BA88AEDFBE58290742C@pxtbenexd01.pxt.primeexalia.com> Mime-Version: 1.0 Return-path: Content-Disposition: inline In-Reply-To: <57F9959B46E0FA4D8BA88AEDFBE58290742C@pxtbenexd01.pxt.primeexalia.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: "Gary W. Smith" Cc: Netfilter ML On Mon, Jul 11, 2005 at 12:09:44PM -0700, Gary W. Smith wrote: > Payal, > > You need to add a second simple entry: [...] Thanks this solved it. Thanks again. Now I am curious why Jason didn't suggest this. With warm regards, -Payal > > Look at the entries below. I'm mapping an entire IP but this would be > simple to just to a single port. The second POSTROUTING line is what > made everything work for my typical firewalls. > > # Completed on Mon Jul 11 10:58:27 2005 > # Generated by iptables-save v1.2.11 on Mon Jul 11 10:58:27 2005 > *nat > :PREROUTING ACCEPT [2547:176804] > :POSTROUTING ACCEPT [633:40896] > :OUTPUT ACCEPT [40:4518] > -A PREROUTING -d 81.45.25.50 -j DNAT --to-destination 10.94.16.50 > > -A POSTROUTING -s 10.94.16.50 -o eth0 -j SNAT --to-source 81.45.25.50 > -A POSTROUTING -s 10.94.16.50 -d 10.94.16.0/255.255.255.0 -j SNAT > --to-source 81.45.25.50 > > -A POSTROUTING -o eth0 -p ! ipv6-crypt -j SNAT --to-source 81.45.25.50 > -A OUTPUT -d 81.45.25.50 -j DNAT --to-destination 10.94.16.50 > COMMIT > # Completed on Mon Jul 11 10:58:27 2005 > > > > -----Original Message----- > > From: netfilter-bounces@lists.netfilter.org [mailto:netfilter- > > bounces@lists.netfilter.org] On Behalf Of Payal Rathod > > Sent: Monday, July 11, 2005 8:19 AM > > To: Netfilter ML > > Subject: dnatting > > > > Hi, > > I have a rule on my friend's broadband connection to redirect traffic > > from outside to an internal machine like, > > > > iptables -A PREROUTING -d 1.2.3.4 -p tcp -m tcp --dport 80 -j DNAT \ > > --to-destination 192.168.10.10:80 > > > > But she complained that people from inside the network cannot do > > http://1.2.3.4 in their browser and see the site. Is she correct? > > What is wrong with my rule because I can see the site from outside? > > > > Thanks in advance. > > With warm regards, > > -Payal > > > > >