From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1a) Gecko/20020610 Description of problem: iptables -t nat -A OUTPUT -d 143.106.24.189 -j DNAT --to-dest 172.31.160.17, that used to work with kernel 2.4.9-34, no longer works with kernel 2.4.18-5. I haven't verified that it is not iptables-1.2.5-3 that's passing incorrect arguments to the kernel, but I've checked with strace that it is the kernel that is returned the EINVAL error to userland. The man page still says DNAT is valid in the nat OUTPUT table. Version-Release number of selected component (if applicable): kernel-2.4.18-5.athlon How reproducible: Always Steps to Reproduce: Starting from empty (or otherwise) iptables, run: iptables -t nat -A OUTPUT -d ip.address.of.choice -j DNAT --to-dest any.other.ip.address Actual Results: iptables: Invalid argument Expected Results: it should start redirecting outgoing packets originally addressed to ip.address.of.choice to any.other.ip.address Additional info:
Looks like this is just because kernel.config says: # CONFIG_IP_NF_NAT_LOCAL is not set and ip_nat_rule does: #ifndef CONFIG_IP_NF_NAT_LOCAL if (hook_mask & (1 << NF_IP_LOCAL_OUT)) { DEBUGP("DNAT: CONFIG_IP_NF_NAT_LOCAL not enabled\n"); return 0; } #endif but why is this feature disabled by default?
I see this is fixed in the pheobe beta2 kernel, in that IP_NF_NAT_LOCAL is built as a module. Can't tell for how long it's been fixed, but thanks!