• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 521
  • Last Modified:

using DNAT and IPtables not working for second of two public interfaces

I am an ubuntu noob and would appreciate help with DNAT on Ubuntu 12.04, which I am using for a firewall/router.  I have two public interfaces and one private interface. I want to DNAT traffic from public interface eth0 to on the private LAN, and I want to DNAT traffic from public interface eth2 to on the private LAN.

I am using IPTABLES, and this is my configuration:

/sbin/iptables -t nat -A PREROUTING -p tcp -d X.X.X.X --dport 80 -j DNAT --to

/sbin/iptables -t nat -A PREROUTING -p tcp -d y.y.y.y --dport 80 -j DNAT --to

x.x.x.x = eth0
y.y.y.y = eth2

DNAT works for eth0 but not for eth2, although I can ping y.y.y.y from the public side.  
Can anyone please help me determine why DNAT is not working for eth2? Does DNAT only work on the primary interface?

Thanks in advance!
  • 2
  • 2
1 Solution
Are you trying to divert web requests to go through an internal proxy?
Are you trying to setup port forwarding from external access to an internal system?

Do you have a similar rule on the INPUT interface?

You might want to include the -i eth2/eth0
Could you look at iptables -t NAT -L PREROUTNG --line-numbers to see whether you have a rule that matches before the one you referenced.
Does your eth0 versus eth2 interface differ in the iptables rules?
bradberAuthor Commented:

I am trying to set up port forwarding from external access to an internal system. I have two public-facing interfaces on the Ubuntu firewall.  I have two servers on a switch connected to the private side of the Ununtu firewall. I would like to forward traffic from public-facing eth0 to the server with private IP address and I would like to forward traffic from public-facing eth2 to the server with private address

My rules for eth0 and eth2 are matched, only the ip addresses and interface numbers differ.
I do not have any rules with -t NAT -L PREROUTING; I only have rule with -t NAT -A PREROUTING

Should I be using the -L option instead?
Depending on their placement, they should match provided the destination IP matches.

An alternative to matching an IP, is to match the interface using the -i eth2 instead of -d yy.yy.yyy.yyy

You can try using the LOGACCEPT event to log when something hits.  
I understand that the rules you have are identical and should match, but as you see they do not.  Either the Destination is not what you expect, use tcpdump to capture traffic on eth2 and see whether the source/destination you think should be seen is actually what is being seen
on the ubuntu system

tcpdump -an -I eth2 port 80
tcpdump -an -I eth2 dst yyy.yyy.yyy.yyy
look at the IPs reflected there.
bradberAuthor Commented:
Thanks Arnold, I am going to try using the -i eth2 instead of -d yy.yy.yyy.yyy and I expect that will  fix it . If not, I will use tcpdump to troubleshoot. I have to set this aside for several days so I can't verify that it works yet but am going to go ahead and award the points.

Thanks for the help!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now