Bruno Negr�o wrote: > Hy all,
Hi Bruno > I'm using a linux firewall with two ethernet interfaces + iptables + > masquerading (for windows clients) + NAT 1:1 (for application servers). > My external interface, eth0, has 3 ip adresses (ip aliasing) destined to > make 1:1 NAT for 3 internal servers. > > When some internet machine connects to one of my internal servers, let's say > server1, it will connect to the firewall's external aliased ip(eth0:0 - > 200.111.111.111) which will be managed by the following rule: > $IPTABLES -t nat -A PREROUTING -d 200.111.111.111 -j DNAT --to-destination > $SERVER1_INTERNAL_IP > > But, when server1 starts a connection to the outside world, it will match > the default masquerading rule to all internal machines: > $IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 200.111.111.110 You have to insert SNAT rules for each of your internal servers BEFORE the general rule from above like this $IPTABLES -t nat -A POSTROUTING -s $SERVER1_INTERNAL_IP -o eth0 -j SNAT --to $SERVER1_EXTERNAL_IP $IPTABLES -t nat -A POSTROUTING -s $SERVER2_INTERNAL_IP -o eth0 -j SNAT --to $SERVER2_EXTERNAL_IP $IPTABLES -t nat -A POSTROUTING -s $SERVER3_INTERNAL_IP -o eth0 -j SNAT --to $SERVER3_EXTERNAL_IP here your general SNAT rule for the rest of your internal machines > > What perturbs me is: when server1 answers the outside world it will show a > source ip 200.111.111.111. But when server1 starts a connetion to the > internet, it will use the ip 200.111.111.110 - the ip of the firewall's > eth0. This is because of your DNAT rules and just one SNAT rule .... > > Does it offer any problem? How are you dealing with this case? > Don't I need an additional rule as: > iptables -t nat -A POSTROUTING -o eth0 -j SNAT -s $SERVER1_INTERNAL_IP -j > SNAT --to-destination 200.111.111.111 > ?? > > thank you all, Cheers, Phibo _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
