iptables redirect

[Luca Ferrari]

On Friday 21 December 2007 Derek Broughton's cat, walking on the keyboard, 
wrote:
> Luca Ferrari wrote:
> > Hi,
> > I'd like to open a port on my firewall to redirect to a testing web
> > server machine, thus I'm doing:
> >
> > $IPTABLES -t nat -I PREROUTING -i $EXT_INTF -p tcp -d $FIREWALL --dport
> > 9999 -s 0/0   -j DNAT --to $SONY:80 -v
> > $IPTABLES -I FORWARD -p tcp -i $EXT_INTF  --dport 9999   -d $SONY -j
> > ACCEPT
> > $IPTABLES -I FORWARD -p tcp -i $EXT_INTF  --dport 80     -d $SONY -j
> > ACCEPT
> >
> > $SONY is my destination machine, and I'd like to have the connection
> > opened from port 9999 on my firewall external interface to sony:80 port,
> > but this is not working. If I try to connect I get connection refused.
> > Any idea?
>
> I'd strongly recommend issuing the same commands _without_ variables. 
> Since we don't know what any of them actually are, it's entirely possible
> the commands don't do what you think they do...

Here they are:
iptables -t nat -I PREROUTING -i eth1 -p tcp -d 85.33.x.x --dport 
9999 -s 0/0   -j DNAT --to 192.168.1.2:80 -v
iptables -I FORWARD -p tcp -i eth1  --dport 9999   -d 192.168.1.2 -j ACCEPT
iptables -I FORWARD -p tcp -i eth1  --dport 80     -d 192.168.1.2 -j ACCEPT

the gateway and the 192.168.1.2 machine talks on the internal ethernet card, 
that is the eth0, I think I should not place any rule for it here. By the 
way, I was executing the commands with the -v flag to see what addresses it 
was manipulating, and it seemed me right.

Any idea?

Thanks,
Luca