-   Linux - Networking (
-   -   -A PREROUTING -i eth2 -p tcp --dport 80 -j DNAT --to-destination (

GSMD 05-03-2007 08:05 AM

-A PREROUTING -i eth2 -p tcp --dport 80 -j DNAT --to-destination
This won't work.
I am only able to do DNAT specifying external IP but not interface.

Is there a way to make subj. work?


Centinul 05-03-2007 08:29 AM

I would review this.

It might give some insight to your issue.



GSMD 05-04-2007 06:13 AM

Thanks for your reply.
I've already read that before and it contains no clue.

Centinul 05-04-2007 07:49 AM

[EDIT] If you think about what DNAT is, it re-writes the destination address of the packet to whatever you want. So I believe in order for the match to work the target needs to match based on a destination address because a packet coming into an interface could have multiple destination addresses.

This is confirmed if you read the fine print of the link I posted above.



GSMD 05-04-2007 08:49 AM

Then how is

iptables -t nat -A PREROUTING -i eth0 -j DNAT --to
mentioned in the official netfilter howto supposed to work? ;)

Centinul 05-04-2007 09:26 AM

Well if you read further on their site they have an "example" where they use the following:


iptables -t nat -A PREROUTING -d \
        -p tcp --dport 80 -j DNAT --to

Which is exactly what the original link I posted has. This is a link directly from the site you gave me, which is here.

You said how do you explain how that works... well apparently you have tested it and it doesn't work. Maybe it's a mistake. Try it in the form of the example above and in the tutorial I posted to see if it works.

What do you have against using the destination ip address?

::EDIT:: Please post the output of iptables -L as well so we can see what it really looks like.

::EDIT #2:: Do you have a rule to accept the new type of traffic in the filter table? i.e. an ACCEPT target for

All times are GMT -5. The time now is 02:11 AM.