excuse my iptables -m mac --mac-source 00:20:23:20:20:20 You will do this cause you dont want your 26 to become a 27 and loose 3 addrs. Alias are no longer called aliases but for convenience On Tue, 2005-10-25 at 14:21 +0100, Oscar Mechanic wrote: > So you want packets leaving the WAN to have address e.f.g.h/26 rather > than a.b.c.d/30 > > That would mean you ISP has assigned you the two ranges e.f.g.h and > a.b.c.d. > > Your gateway cannot be a gateway from this diagram > > That must be e.f.g.h/27 GW has > e.f.g.h/27 and e.f.g.h/26 interfaces > > >> DMZ GW/FW ISP/Internet > > >>----------------------------------------------------------------------- > > >> Server #1 --| > > >> e.f.g.h3/26 | > > >> |---- Gateway/Firewall --- ISP WAN IP: a.b.c.d/30 > > >> Server #2 --| a.b.c.d1/30 Ext. IP: e.f.g.h/26 > > >> e.f.g.h4/26 e.f.g.h1/26 > > >>---------------------------------------------------------------------- > > I would assume what you will end up doing is > > iptables -t nat -A POSTROUTING -m mac-source <MACSERVER1> -j SNAT --to- > source <ALIAS1 of GW> > iptables -t nat -A POSTROUTING -m mac-source <MACSERVER2> -j SNAT --to- > source <ALIAS2 of GW> > > Where ALIAS1 and ALIAS2 are the IP's of server 1 and server 2 aliased on > the firewall > > Regards > Shane > > On Tue, 2005-10-25 at 14:58 +0200, Daniel Frederiksen wrote: > > Oscar Mechanic wrote: > > > Maybe I have missed somthing and you need to do it in POSTROUTING but > > > how about SNAT. > > > > > > > Well currently I do not NAT at all. I have ip_forwarding enabled and > > have assigned the first IP from the external block on the inside of the > > Gateway/Firewall. On the outside of the Gateway/Firewall I have assigned > > the WAN IP. This way when a system on the DMZ establishes a connection > > it is forwarded through the Gateway. > > > > Any suggestions to changes are appreciated. > > > > /Daniel.. > > > > > PS: ip can do stateless nat. > > > > > > On Tue, 2005- > > > 10-25 at 14:36 +0200, Daniel Frederiksen wrote: > > > > > >>Hello folks.. > > >> > > >>Does any of you know if it is possible to rewrite the ip src in a packet. > > >>I have a problem involving a DMZ with external IP addresses routed > > >>trough a single WAN IP. When the server initiates a connection, it looks > > >>like it comes from the WAN ip instead of it's designated External IP > > >>routed through the WAN. > > >>So in short, Is it possible to rewrite the packet in the router, with > > >>Iptables, to make it look like it comes from the external IP address > > >>instead of the WAN IP of the router/firewall. > > >> > > >>Thank you very much for your time, I appreciate it. > > >> > > >>/Daniel Frederiksen > > >> > > >> > > >>NB: Small diagram of the setup. > > >> > > >> DMZ GW/FW ISP/Internet > > >>----------------------------------------------------------------------- > > >> Server #1 --| > > >> e.f.g.h3/26 | > > >> |---- Gateway/Firewall --- ISP WAN IP: a.b.c.d/30 > > >> Server #2 --| a.b.c.d1/30 Ext. IP: e.f.g.h/26 > > >> e.f.g.h4/26 e.f.g.h1/26 > > >>---------------------------------------------------------------------- > > >> > > >>_______________________________________________ > > >>LARTC mailing list > > >>LARTC@xxxxxxxxxxxxxxx > > >>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > > > > > _______________________________________________ > > LARTC mailing list > > LARTC@xxxxxxxxxxxxxxx > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > _______________________________________________ > LARTC mailing list > LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
