simple nat dilemma

[patrick conlin <patrick@wechsler.com>]

Hello everyone,

Let me preface this by saying that I am seriously disappointed by my failure
to figure out what I'm doing wrong here, and any admonitions I receive from
ramin for being an idiot will be appreciated. I've been using ipchains for a
over a year for simple packet filtering and am now setting up a simple nat
gateway with iptables, but can't get it to work.

I'm trying to get the nat machine (bulgakov) to make zamyatin look and feel
like 207.224.76.204 for all external activity, inbound and outbound.
Eventually I'll be trying to make olesha look and feel like 207.224.76.202,
but one step at a time.

It's the classic setup:

bulgakov
eth0: 207.224.76.201
eth1: 10.1.1.1

zamyatin
eth0: 10.1.1.107

I've got a 1 in /proc/sys/net/ipv4/ip_forward

As an aside, when I set up

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Everything works great, for what it's worth (obviously not useful for
inbound connections). I am able to connect to the outside world and do
whatever I want (ping, traceroute, ftp, www, whatever) and It looks like the
connection is coming from 207.224.76.201. Of course, that's not what I'm
trying to do so I flush the chain, follow trusty rusty, and add the
following:

# iptables -t nat -A POSTROUTING -o eth0 -s 10.1.1.107 -j SNAT --to-source
207.224.76.204

No dice. I think the packets must be getting nat'd on the way out, but the
return packects aren't getting sent to the right place, so I add:

# iptables -t nat -A PREROUTING -d 207.224.76.204 -j DNAT --to-destination
10.1.1.107

Still nothing. I think maybe I need some explicit action on my FORWARD
chain, so I add:

# iptables -t filter -A FORWARD -s 10.1.1.107 -j ACCEPT

And

# iptables -t filter -A FORWARD -d 207.224.76.204 -j ACCEPT

Alas, still no love. So, a plea for help to those more fluent. I know I must
be missing something obvious.

Thanks!

patrick