[ale] Stupid question time: PAT vs NAT

JK jknapka at kneuro.net
Tue May 8 14:46:40 EDT 2007


Jim Popovitch wrote:

> On Tue, 2007-05-08 at 11:04 -0600, JK wrote:
> 
>>But not *my* friend, apparently.  I'm wrong about REDIRECT;
>>you really need a DNAT rule to do port forwarding, unless you're
>>redirecting to a port on the firewall machine itself.  I use
>>this all the time; it was looking at the man page that
>>confuzzled me :-/
> 
> 
> This is one that's been confusing me for some time... i'd like to
> eliminate stunnel with the following... but it don't work 
> 
>   iptables -t nat -A PREROUTING -p tcp -i tap0 -d 192.168.1.1  
>             --dport 587 -j DNAT --to some.other.host:587
>   iptables -A FORWARD -p tcp -i tap0 -d 192.168.1.1 --dport 587
>             -j ACCEPT

I think your problem is here.  Because you're redirecting in
the PREROUTING chain, by the time the packet gets into the
FORWARD chain, the destination has already been changed. So
you need the second rule to be:

   iptables -A FORWARD -p tcp -i tap0 -d some.other.host --dport 587
             -j ACCEPT

-- JK

-- 
"What can be asserted without evidence can also be
dismissed without evidence." -- Christopher Hitchens



More information about the Ale mailing list