iptables DNAT question

From: Claudio Nieder (private_at_claudio.ch)
Date: 11/21/03

• Next message: Rob van der Putten: "Re: Sites that block dynamic/dialups"
• Previous message: Francesc Llop: "Re: bind difficulties"
• Next in thread: Tim Sampson: "Re: iptables DNAT question"
• Reply: Tim Sampson: "Re: iptables DNAT question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Date: 21 Nov 2003 04:59:23 -0800

Hi,

this command gives me an error I don't understand:

# iptables -t nat -A OUTPUT -p tcp -d 80.254.169.102 --dport 25 -j
DNAT --to-destination 80.254.169.102:8025
iptables: Invalid argument

(If word wrapping mangels it: The whole command was entered on one
line)

If I supply all before -j DNAT, than iptables makes an entry, so the
first arguments are probably right:

# iptables -t nat -A OUTPUT -p tcp -d 80.254.169.102 --dport 25

# iptables -L -t nat -vn
 ...
Chain OUTPUT (policy ACCEPT 40 packets, 2458 bytes)
 pkts bytes target prot opt in out source
destination
    0 0 tcp -- * * 0.0.0.0/0
80.254.169.102 tcp dpt:25

# iptables -t nat -D OUTPUT 1

# iptables -L -t nat -vn
 ...
Chain OUTPUT (policy ACCEPT 40 packets, 2458 bytes)
 pkts bytes target prot opt in out source
destination

When I ask for help on the DNAT arguments I get this explanation:

# iptables -t nat -A OUTPUT -p tcp -d 80.254.169.102 --dport 25 -j
DNAT --help
iptables v1.2.9
 ...
DNAT v1.2.9 options:
 --to-destination <ipaddr>[-<ipaddr>][:port-port]
                                Address to map destination to.
                                (You can use this more than once)

Which to me, looks like what I am trying to do. Yet when I add the
--to-destination argument I get

# iptables -t nat -A OUTPUT -p tcp -d 80.254.169.102 --dport 25 -j
DNAT --to-destination 80.254.169.102:8025
iptables: Invalid argument

Please help me to spot my error.

FYI: This is on a gentoo Linux

# uname -a
Linux garfield.inodes.ch 2.4.22-ac4 #5 Thu Nov 6 22:05:47 CET 2003
i686 Mobile Intel(R) Pentium(R) 4 - M CPU 2.40GHz GenuineIntel
GNU/Linux

Many thanks

claudio (private@claudio.ch)

---

• Next message: Rob van der Putten: "Re: Sites that block dynamic/dialups"
• Previous message: Francesc Llop: "Re: bind difficulties"
• Next in thread: Tim Sampson: "Re: iptables DNAT question"
• Reply: Tim Sampson: "Re: iptables DNAT question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Relevant Pages Iptables and dmz game hosting ... iptables settings, so i'll be quick. ... Servers set up on 'Arcane' work wonderfully when the appropriate ... DNAT --to 192.168.0.3:27999:29000 ... (comp.security.firewalls) DNATing without connection tracking - is it possible? ... I'm using kernel 2.4.37 and iptables 1.3.8. ... I have a complex firewall requirement - what I need is to do DNAT ... without it creating an entry in the connection tracking table. ... destination port of packets to be changed, ... (comp.os.linux.networking) IPTables and DNAT question ... I am using IPTables for the firewall on my T1. ... This requires me to setup 125 DNAT and 125 SNAT ... Can I simplify this somehow to allow me to use a single DNAT rule with ... (comp.os.linux.security) Re: Question on DNAT and iptables ... echo " - Enabling packet forwarding in the kernel" ... $IPTABLES -P INPUT ACCEPT ... DNAT --to-destination 10.0.0.2 ... script and see if I'm doing something wrong with the DNAT stuff. ... (comp.os.linux.security) Re: iptables DNAT question ... > this command gives me an error I don't understand: ... > iptables: Invalid argument ... I think you need -A PREROUTING, ... (comp.os.linux.networking)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

linux.derkeiler.com  > Newsgroups  > comp.os.linux.networking  > 2003-11