> Bringing down and up all your aliases doesn't really belong in this script and I'm not sure it will actually do anything if they're all static address anyway. Shouldn't do any harm though.
--- This is only for testing and implementation purposes. The version of my script that I posted doesn't exactly reflect the script that I have at this moment. Some of the sub-interfaces I have shutdown through this script in order to avoid IP conflicts with the servers running from the old network. Once I have moved all of the servers onto the new DMZ network behind the Linux box this section of the script will be removed. > Why are you running "/etc/init.d/iptables stop" and "/etc/init.d/iptables start" when you just flush the rules a few lines later (probing for modules maybe)? This also shouldn't do any harm but is inefficient and you could end up restoring some stale rules if they contained some user defined chains. --- Point taken. - In almost every rule block for each IP you have a couple of rules for dns like the following: iptables -A PREROUTING -t nat -p tcp -m multiport --destination-port 53 -j DNAT --to 192.168.1.209 iptables -A PREROUTING -t nat -p udp -m multiport --destination-port 53 -i -j DNAT --to 192.168.1.209 These rules are NOT unique and each subsequent rule further down the script will overwrite the previous one with the new --to IP. To make these rules unique you need to add an argument for the destination IP (-d 60.30.135.xxx) to each rule. I suspect this is the major reason your script isn't working as expected but haven't looked too closely to see if there are others. It might be best to comment out all the rules for each host except one or two until you get things working right for those hosts first. Good luck! --- Ooops... Thanks for catching that. I actually was doing it by interface originally, but ran into a brick wall as Iptables doesn't appear to like the "eth0:1" type syntax. Does Iptables support sub-interfaces at all? Or am I just using the wrong syntax? Alternatively yeah, I could do destination IP as you suggest. Is there any benefit of one way over the other? I was originally thinking interface would be the best way to go in order to avoid IP spoofing. Or am I completely out to lunch? For now I will try the destination IP as you suggest. Thank you very much for the suggestions. Really appreciate it. Regards, Brian Horncastle
