On Tue, 02 Aug 2005 00:13:52 +0200
Morten Nilsen <[EMAIL PROTECTED]> wrote:
eth1 eth0
(isp1)---- [box2] ----- [box3] ----- (isp2)
[box1] --'
box1(today) 10.0.0.2 (isp1)
box2(today) 10.0.0.3 (isp1) / 10.0.1.1 (dmz)
box3(today) 10.0.2.2 (isp2) / 10.0.1.2 (dmz)
box1(future) 10.0.1.3 (dmz)
You could do something like this:
# forward 10.0.0.2 to box1 in dmz
iptables -t nat -A PREROUTING -i eth1 -d 10.0.0.2 -j DNAT --to 10.0.1.3
iptables -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate DNAT -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -d 10.0.1.3 -j SNAT --to 10.0.1.1
# allow reply
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
So all packets isp1 -> 10.0.0.2 will change to 10.0.1.1 -> 10.0.1.3 on eth0.
The replys box1 on box1 look like 10.0.1.3 -> 10.0.1.1 and will be
(automagically natted) to 10.0.0.2 -> isp1
Olaf
_______________________________________________
tsl-discuss mailing list
[email protected]
http://lists.trustix.org/mailman/listinfo/tsl-discuss
