using DNAT and IPtables not working for second of two public interfaces

I am an ubuntu noob and would appreciate help with DNAT on Ubuntu 12.04, which I am using for a firewall/router.  I have two public interfaces and one private interface. I want to DNAT traffic from public interface eth0 to on the private LAN, and I want to DNAT traffic from public interface eth2 to on the private LAN.

I am using IPTABLES, and this is my configuration:

/sbin/iptables -t nat -A PREROUTING -p tcp -d X.X.X.X --dport 80 -j DNAT --to

/sbin/iptables -t nat -A PREROUTING -p tcp -d y.y.y.y --dport 80 -j DNAT --to

x.x.x.x = eth0
y.y.y.y = eth2

DNAT works for eth0 but not for eth2, although I can ping y.y.y.y from the public side.  
Can anyone please help me determine why DNAT is not working for eth2? Does DNAT only work on the primary interface?

Thanks in advance!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Are you trying to divert web requests to go through an internal proxy?
Are you trying to setup port forwarding from external access to an internal system?

Do you have a similar rule on the INPUT interface?

You might want to include the -i eth2/eth0
Could you look at iptables -t NAT -L PREROUTNG --line-numbers to see whether you have a rule that matches before the one you referenced.
Does your eth0 versus eth2 interface differ in the iptables rules?
bradberAuthor Commented:

I am trying to set up port forwarding from external access to an internal system. I have two public-facing interfaces on the Ubuntu firewall.  I have two servers on a switch connected to the private side of the Ununtu firewall. I would like to forward traffic from public-facing eth0 to the server with private IP address and I would like to forward traffic from public-facing eth2 to the server with private address

My rules for eth0 and eth2 are matched, only the ip addresses and interface numbers differ.
I do not have any rules with -t NAT -L PREROUTING; I only have rule with -t NAT -A PREROUTING

Should I be using the -L option instead?
Depending on their placement, they should match provided the destination IP matches.

An alternative to matching an IP, is to match the interface using the -i eth2 instead of -d yy.yy.yyy.yyy

You can try using the LOGACCEPT event to log when something hits.  
I understand that the rules you have are identical and should match, but as you see they do not.  Either the Destination is not what you expect, use tcpdump to capture traffic on eth2 and see whether the source/destination you think should be seen is actually what is being seen
on the ubuntu system

tcpdump -an -I eth2 port 80
tcpdump -an -I eth2 dst yyy.yyy.yyy.yyy
look at the IPs reflected there.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bradberAuthor Commented:
Thanks Arnold, I am going to try using the -i eth2 instead of -d yy.yy.yyy.yyy and I expect that will  fix it . If not, I will use tcpdump to troubleshoot. I have to set this aside for several days so I can't verify that it works yet but am going to go ahead and award the points.

Thanks for the help!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.