Re: dnatting

[Payal Rathod <payal-netfilter@scriptkitchen.com>]

On Mon, Jul 11, 2005 at 12:09:44PM -0700, Gary W. Smith wrote:
> Payal, 
> 
> You need to add a second simple entry:
[...]

Thanks this solved it. Thanks again.
Now I am curious why Jason didn't suggest this.

With warm regards,
-Payal

> 
> Look at the entries below.  I'm mapping an entire IP but this would be
> simple to just to a single port.  The second POSTROUTING line is what
> made everything work for my typical firewalls.
> 
> # Completed on Mon Jul 11 10:58:27 2005
> # Generated by iptables-save v1.2.11 on Mon Jul 11 10:58:27 2005
> *nat
> :PREROUTING ACCEPT [2547:176804]
> :POSTROUTING ACCEPT [633:40896]
> :OUTPUT ACCEPT [40:4518]
> -A PREROUTING -d 81.45.25.50 -j DNAT --to-destination 10.94.16.50 
> 
> -A POSTROUTING -s 10.94.16.50 -o eth0 -j SNAT --to-source 81.45.25.50 
> -A POSTROUTING -s 10.94.16.50 -d 10.94.16.0/255.255.255.0 -j SNAT
> --to-source 81.45.25.50 
> 
> -A POSTROUTING -o eth0 -p ! ipv6-crypt -j SNAT --to-source 81.45.25.50
> -A OUTPUT -d 81.45.25.50 -j DNAT --to-destination 10.94.16.50 
> COMMIT
> # Completed on Mon Jul 11 10:58:27 2005
> 
> 
> > -----Original Message-----
> > From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> > bounces@lists.netfilter.org] On Behalf Of Payal Rathod
> > Sent: Monday, July 11, 2005 8:19 AM
> > To: Netfilter ML
> > Subject: dnatting
> > 
> > Hi,
> > I have a rule on my friend's broadband connection to redirect traffic
> > from outside to an internal machine like,
> > 
> > iptables -A PREROUTING -d 1.2.3.4 -p tcp -m tcp --dport 80 -j DNAT  \
> > --to-destination 192.168.10.10:80
> > 
> > But she complained that people from inside the network cannot do
> > http://1.2.3.4 in their browser and see the site. Is she correct?
> > What is wrong with my rule because I can see the site from outside?
> > 
> > Thanks in advance.
> > With warm regards,
> > -Payal
> > 
> > 
>