From mboxrd@z Thu Jan 1 00:00:00 1970 From: Raymond Leach Subject: Re: simple nat question Date: Wed, 03 Jul 2002 09:00:52 +0200 Sender: netfilter-admin@lists.samba.org Message-ID: <3D22A124.8050606@knowledgefactory.co.za> References: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.samba.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Ben Cc: NetFilter Hi Ben iptables is clever enough to know and remember where the original packet came from and will automagically do the translation necessary for the return packets. Ray Ben wrote: > I've got a basic nat setup: > > internet > | > +====+=====+ eth0: 1.2.3.4 > | firewall | > +====+=====+ eth1: 10.0.0.1 > | > +====+=====+ eth0: 10.0.0.2 > | server | > +==========+ > > > What I would like is for packets coming from the server (10.0.0.2) to get > SNAT'd to the firewall's IP address, 1.2.3.4. It seems easy enough to do: > > iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.2 -j SNAT --to 1.2.3.4 > > But now I don't see how return packets are going to make it back to my > server, because the firewall is going to think they are destined for it. > If I add the rule: > > iptables -t nat -A PREROUTING -d 1.2.3.4 -i ! eth0 -j DNAT --to 10.0.0.2 > > Then it seems I loose the ability for the firewall to run anything > accessable to the outside world, like ssh. > >