adsl+iptables+port forward+"-m tcp" strange problem
 

adsl+iptables+port forward+"-m tcp" strange problem
I.state the situation
i'm using a iptables gateway dialing up adsl connection to connect the internet,
and port forwad LAN services to the internet, the classic situation.

II.problem
when i use DNAT with "-m tcp" , it works fine:
/sbin/iptables -t nat -A PREROUTING -p tcp -m tcp --dport 12000 -j DNAT --to 192.168.0.24

but, without "-m tcp" , it's all over , failed.
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 12000 -j DNAT --to 192.168.0.24

In the formal/informal docs of netfilter i have read, i cant find anything about "-m tcp" ,but almost every DNAT uses this option

I guess without "-m tcp" the static IP situation will work , but without it ,
an adsl connection will not.

Maybe implicit rules do not take effect when using dynamic IP, so the explicit -m tcp must be added.

Anyone could help ? thank a lot!

From: http://www.die.net/doc/linux/man/man8/iptables.8.html


That is a command option passed to the tcp module.



BTW, an awesome book to pick up is Linux Firewalls
http://print.google.com/print?id=rIW...-US:unofficial
http://www.amazon.com/exec/obidos/tg...31843?v=glance
http://half.ebay.com/cat/buy/prod.cgi?cpid=1076493453

Try including the port in the DNAT command. Instead of running this:

/sbin/iptables -t nat -A PREROUTING -p tcp -m tcp --dport 12000 -j DNAT --to 192.168.0.24

Run this:

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 12000 -j DNAT --to 192.168.0.24:12000

Notice that the --to address includes the port now. See if that gives you any luck.

Thank You
 

Thank You
And the version WITHOUT "-m tcp" was documented in the official HOW-TO provided by the netfilter.org .
SO , i posted this message.