Hello Borsenkow, The -i eth1 doesn't work it says it can't be used in postrouting.
Ok tried the static arp with the same results. I also used "ip address add 172.16.231.x dev eth0" which put the ips on eth0 with the same results. Sunday, October 21, 2001, 8:52:24 AM, you wrote: BA> On ���, 2001-10-21 at 09:01, Robin Cook wrote: >> Hello David, >> >> Found the problem to the single ping return. >> >> iptables -t nat -s 10.1.1.0/24 -o eth0 -j SNAT 172.16.231.57-172.16.231.59 >> BA> Yes I was about to suggest the same. You can also do BA> -i eth1 -o eth0 BA> to match only packets from your internal network. >> if I leave the -s 10.1.1.0/24 out, the routing box and the outside box >> stop being able to ping to the ISP or Internet (just the first one >> returns the rest timeout.) >> >> So now for the routing box and the outside box I can ping anywhere >> and get all responses back. The routing box is also able to ping >> the inside boxes. >> >> The inside boxes can ping the router box and the outside box without >> problem but cannot ping the ISP or an internet site. I have also >> tried ftp and http protocols from the inside boxes with the same >> results. >> BA> I have one idea that explains why internal boxes do not work; it does BA> not explain why you can ping external box though :-) BA> It may be possible that for every SNAT rule in POSTROUTING the kernel BA> internal sets up matching DNAT rul in PREROUTING (actually it is really BA> the case). In this case it may happen that your reply packets are not BA> matched because they come to diffrent interfaces. BA> You have eth0 with 61 and eth0:0, eth0:1, eth0:2 with 57, 58, 59 BA> correspondingly. You setup your DNAT for packets coming *out of* eth0; BA> it may be possible that SNAT rule will match only packets coming *into* BA> eth0. BA> But replies packets in this case are coming into *different interfaces*, BA> notably eth0:0 through eth0:2. And are ignored by NAT. I looked into BA> netfilter code but it was way too complicated. BA> Try following. BA> 1. remove all alias interfaces. Define SNAT to basic address only, i.e. BA> to 61 (address of your true interface). See if it works. BA> 2. if it works define static arp entries for your additional addresses; BA> see man arp, it looks like BA> arp -s 172.16.231.57 <ethernet address of eth0> BA> ... BA> check if it works. BA> Is it possible to define alias without defining new interface? >> With a sniffer on the outside box I can see all the translated ping >> request from an inside box and the returning response. But the >> response is not getting translated back and sent to the inside box. >> BA> That more or less confirms it; it still does not explain why you can BA> ping external box ... :( BA> -andrej -- Best regards, Robin mailto:[EMAIL PROTECTED]
