Avatar of bradber
bradber asked on

using DNAT and IPtables not working for second of two public interfaces

I am an ubuntu noob and would appreciate help with DNAT on Ubuntu 12.04, which I am using for a firewall/router.  I have two public interfaces and one private interface. I want to DNAT traffic from public interface eth0 to on the private LAN, and I want to DNAT traffic from public interface eth2 to on the private LAN.

I am using IPTABLES, and this is my configuration:

/sbin/iptables -t nat -A PREROUTING -p tcp -d X.X.X.X --dport 80 -j DNAT --to

/sbin/iptables -t nat -A PREROUTING -p tcp -d y.y.y.y --dport 80 -j DNAT --to

x.x.x.x = eth0
y.y.y.y = eth2

DNAT works for eth0 but not for eth2, although I can ping y.y.y.y from the public side.  
Can anyone please help me determine why DNAT is not working for eth2? Does DNAT only work on the primary interface?

Thanks in advance!
Software FirewallsUnix OSOS Security

Avatar of undefined
Last Comment

8/22/2022 - Mon

Are you trying to divert web requests to go through an internal proxy?
Are you trying to setup port forwarding from external access to an internal system?

Do you have a similar rule on the INPUT interface?

You might want to include the -i eth2/eth0
Could you look at iptables -t NAT -L PREROUTNG --line-numbers to see whether you have a rule that matches before the one you referenced.
Does your eth0 versus eth2 interface differ in the iptables rules?


I am trying to set up port forwarding from external access to an internal system. I have two public-facing interfaces on the Ubuntu firewall.  I have two servers on a switch connected to the private side of the Ununtu firewall. I would like to forward traffic from public-facing eth0 to the server with private IP address and I would like to forward traffic from public-facing eth2 to the server with private address

My rules for eth0 and eth2 are matched, only the ip addresses and interface numbers differ.
I do not have any rules with -t NAT -L PREROUTING; I only have rule with -t NAT -A PREROUTING

Should I be using the -L option instead?

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

Thanks Arnold, I am going to try using the -i eth2 instead of -d yy.yy.yyy.yyy and I expect that will  fix it . If not, I will use tcpdump to troubleshoot. I have to set this aside for several days so I can't verify that it works yet but am going to go ahead and award the points.

Thanks for the help!
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck