On Wednesday 03 July 2002 5:39 pm, "J�rgen" Danielsson wrote: > Thanks for the reply > > I asked the company earlier why they don't put it on > the 172 net they have aswell, the explanation will be > abit too long to get here, but the answer is that they > must have a real c-net behind the firewall since they > are connected to another net aswell that requires real > ips (short version). > > And they don't want the iii.iii.iii.iii net to be > accessible from the outside, thats why i am stuck.
Okay, I'll accept that you have some frustrating reasons why things just have to be this way. Here's a suggestion for how to solve things: iptables -A PREROUTING -i eth1 -t nat -d iii.iii.iii.0/24 -j DROP *before* the rule which says iptables -A PREROUTING -t nat -d ooo.ooo.*17.*54 -p tcp --dport 25 -j SNAT --to iii.iii.iii.*15:25 These rules will: 1. Drop any incoming packets originally addressed to iii.iii.iii.iii IPs 2. Translate packets for ooo.ooo.17.54 port 25 to iii.iii.iii.15 Forwarding remains the same. Antony.
