-A PREROUTING -i eth2 -p tcp --dport 80 -j DNAT --to-destination 10.1.1.200:80
 

This won't work.
I am only able to do DNAT specifying external IP but not interface.

Is there a way to make subj. work?

Thanks.

I would review this.

It might give some insight to your issue.

HTH,

Centinul

Thanks for your reply.
I've already read that before and it contains no clue.

[EDIT] If you think about what DNAT is, it re-writes the destination address of the packet to whatever you want. So I believe in order for the match to work the target needs to match based on a destination address because a packet coming into an interface could have multiple destination addresses.

This is confirmed if you read the fine print of the link I posted above.

HTH,

Centinul
[/EDIT]

Then how is
mentioned in the official netfilter howto supposed to work? ;)

Well if you read further on their site they have an "example" where they use the following:

Which is exactly what the original link I posted has. This is a link directly from the site you gave me, which is here.

You said how do you explain how that works... well apparently you have tested it and it doesn't work. Maybe it's a mistake. Try it in the form of the example above and in the tutorial I posted to see if it works.

What do you have against using the destination ip address?

::EDIT:: Please post the output of iptables -L as well so we can see what it really looks like.

::EDIT #2:: Do you have a rule to accept the new type of traffic in the filter table? i.e. an ACCEPT target for 10.1.1.200:80?