From: "Carlo Florendo" <carlo@hq.astra.ph>
To: netfilter@lists.netfilter.org
Subject: Re: DNAT from an IP address that does not exist to another that exists
Date: Thu, 7 Aug 2003 14:55:28 +0800 [thread overview]
Message-ID: <006201c35cb0$e2f396c0$200aa8c0@thorin> (raw)
In-Reply-To: 004e01c35caf$86bd4910$200aa8c0@thorin
Hello Chris,
> > The gateway address is 192.168.30.1
> > The non-existent address which I want to DNAT to another machine
> > within the network is 192.168.40.40
> > The existent IP address where I want 192.168.40.40 to be forwarded to,
> > is 192.168.30.11
>
> This is a case of what I call "bermuda triangle" routing, and is
> definitely a FAQ. The problem is that the replies to your connection go
> _directly_ back from 192.168.30.11 to 192.168.30.x, without going through
> the firewall, and as a result they don't get un-masqueraded, and
> 192.168.30.x ignores them, since it's expecting to see packets from
> 192.168.40.40 instead of 192.168.30.11.
>
> The only solution that I know is to masquerade the DNAT'ed packets, so
> that they will always go back through the firewall. For example, in your
> case:
>
> iptables -t nat -I POSTROUTING -s 192.168.30.0/24 -d 192.168.30.11 \
> -j MASQUERADE
>
> Cheers, Chris.
Thanks a lot! This is great! This one worked too as well as the earlier post.
So this means that:
iptables -t nat -I POSTROUTING -s 192.168.30.0/24 -d 192.168.30.11 \ -j MASQUERADE (your solution)
and
iptables -I POSTROUTING -t nat -s 192.168.30.0/24 -o $INTDEV -d \
192.168.30.11 -j SNAT --to 192.168.30.1 (c/o George Vieira)
are equivalent (given that 192.168.30.1 is the gateway).
Now I realize what *to masquerade* means.
Thanks a lot!
Best Regards,
Carlo
------
Carlo Florendo
Astra Philippines Inc.
URL: http://www.hq.astra.ph/resources
next parent reply other threads:[~2003-08-07 6:55 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <004e01c35caf$86bd4910$200aa8c0@thorin>
2003-08-07 6:55 ` Carlo Florendo [this message]
2003-08-07 12:03 ` DNAT from an IP address that does not exist to another that exists Whit Blauvelt
2003-07-30 3:48 George Vieira
2003-07-30 4:06 ` Carlo Florendo
-- strict thread matches above, loose matches on Subject: below --
2003-07-30 3:40 George Vieira
2003-07-30 3:13 Carlo Florendo
2003-07-30 3:09 Carlo Florendo
2003-08-01 15:13 ` Chris Wilson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='006201c35cb0$e2f396c0$200aa8c0@thorin' \
--to=carlo@hq.astra.ph \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.