Iptables nat port manipulation problem

Oi!

I, for the life of me, cannot figure out why the included code-snip is
not performing the following:

I want to be able to "ssh Box_A -p 44" and have it forward that to
Box_B's ssh port.

#######SNIP
# Box_A = $IP0 (single NIC)
# Box_B = $IP1

$IPTABLES -A FORWARD -i $IF0 -o $IF0 -d $IP0 -p tcp \
--dport 44 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -t nat -A PREROUTING -i $IF0 -p tcp -d $IP0 \
--dport 44 -j DNAT --to $IP1:22

$IPTABLES -t nat -A POSTROUTING -o $IF0 -j MASQUERADE

$IPTABLES -t nat -A POSTROUTING -o $IF0 -j SNAT --to $IP0
#######SNIP

Thanks,
- Perry

On Tue, 11 May 2004 18:41:24 -0700, Perry Whelan wrote:
> I want to be able to "ssh Box_A -p 44" and have it forward that to
> Box_B's ssh port.
>
> #######SNIP
> # Box_A = $IP0 (single NIC)
> # Box_B = $IP1
>
> $IPTABLES -A FORWARD -i $IF0 -o $IF0 -d $IP0 -p tcp \
> --dport 44 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Here's the problem. The NAT PREROUTING table has rewritten these
packets. Their destination is now ...

> $IPTABLES -t nat -A PREROUTING -i $IF0 -p tcp -d $IP0 \
> --dport 44 -j DNAT --to $IP1:22

.... $IP1:22. Presumably some other rule or the policy is DROP'ing or
REJECT'ing them. They don't get to the filter FORWARD chain until NAT
PREROUTING has had its way with them.
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply