OK. To get DNAT to work this is what I had to do:
1. Setup the i[ptables filter rules to allow and redirect traffic to the machines (INPUT, FORWARD, OUTPUT, POSTROUTING ) 2. Then I had to setup ip aliases on the firewall (with the internet addresses of the DNATed machines) to 'accept' the traffic for the DNATed machines. The alternative is proxy- arp. That's it ... Ray 4/8/02 10:43:24 AM, Tom Walder <[EMAIL PROTECTED]> wrote: >Hi Ray, > >The machines need to accessed from the internet > >Tom > >At 10:41 08/04/2002 +0200, you wrote: >>4/8/02 9:32:51 AM, Tom Walder <[EMAIL PROTECTED]> wrote: >> >> >Can anyone advise on the correct way of setting up iptables with DNAT ? >> > >> > >> >I have about 100 machines that I wish hide behind the fw using DNAT >> > >> > >>So all of these machines need to be accessed from the internet, or do they >>only need to make connection to the internet? >> >> >Do I :- >> > >> >a) Add the external IP addresses of the machines I wish to nat on to >> >firewall machine >> > >> >or >> > >> >b) Add static routes on our border router to send all ip traffic for these >> >machines to the firewall's main ip address >> > >> > >> > >> >Extra info - making changes to the border router is a pain in arse, as it >> >is managed by our isp. >> > >> >Hope this question make sense! I am still find my way with iptables >> > >> > >> >Thanks - Tom >> > >> > >> > >>---------------------------------------- >>Ray Leach (Technical Network Specialist) >>Knowledge Factory >>www: http://www.knowledgefactory.co.za >>ICQ:153663421 >>Tel: +27-11-444-5006 >>Fax: +27-11-444-5007 >>"No matter where you go, there you are." >>---------------------------------------- > ---------------------------------------- Ray Leach (Technical Network Specialist) Knowledge Factory www: http://www.knowledgefactory.co.za ICQ:153663421 Tel: +27-11-444-5006 Fax: +27-11-444-5007 "No matter where you go, there you are." ----------------------------------------
