Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 05-19-2009, 05:54 AM   #1
LQ Newbie
Registered: May 2009
Posts: 1

Rep: Reputation: 0
Red face DNAT rule not working for private IP.

Hi All,

What i am trying to map a public IP to private one. my network structure is:

A firewall which has two IPs,


and a web server


what i want when any one access the public IP of firewall which is
"" it should maps with private IP of webserver ""
where the webserver is already configured.

Note: I have done this with public IPs means i have map them -> sucessfully, then what is problem with private.

Firewall OS: Ubuntu
Webserver OS: RedHat

code i have applied:
sudo iptables -A FORWARD -d -p tcp --dport 80 -j ACCEPT
sudo iptables -A FORWARD -d -p tcp --dport 8080 -j ACCEPT

sudo ip route add nat via
sudo ip rule add nat from

ip route add nat via
ip rule add nat from

sudo iptables -t nat -A PREROUTING -i eth1 -d -p tcp --dport 80 -j DNAT --to-destination

Can anyone help! your help will be highly appreciated. Thanks in advance.


Last edited by; 05-19-2009 at 06:04 AM.
Old 05-20-2009, 08:56 PM   #2
Senior Member
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
I have never specified nat with the ip command and don't really know what it does. But I have DNATed before and have never needed such a thing. Your DNAT command looks right to me and I would think it should be sufficient by itself ... assuming the return packets from the Webserver are sent back through the firewall. You can do this either by having the routing table of the webserver send Internet bound packets to your firewall or you can (in addition to DNAT) SNAT the incoming packets such that they appear to be coming from the firewall.

I've tried skimming the ip man page to find out what nat does. Perhaps that is intended for doing the SNAT I mentioned? You can certainly accomplish an SNAT with a rule in iptables' POSTROUTING chain. I also found this in the the ip man page and wonder whether it is relevant. (The emphasis is mine.)

               nat  - a special NAT route.  Destinations covered by the prefix
               are considered  to  be  dummy  (or  external)  addresses  which
               require  translation to real (or internal) ones before forward‐
               ing.  The addresses to  translate  to  are  selected  with  the
               attribute  Warning:  Route  NAT is no longer supported in Linux
I realize this post is a bit rambling, but I hope it helps anyway.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
simple DNAT iptables rule doesn't work. firatkucuk Linux - Networking 2 10-22-2007 02:35 AM
iptables problem: DNAT rule for RTP stream bbeers Linux - Security 2 11-21-2006 11:34 PM
My DNAT/port fowardin isn't working Niceman2005 Linux - Security 31 09-16-2006 10:34 PM
Problems with iptables DNAT to private IP, different port tisource Linux - Networking 1 04-13-2006 04:43 PM
DNAT not working stevesl Linux - Networking 13 05-17-2005 12:22 AM > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 04:00 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration