If I understand correctly, the server is not directly connected to the internet, right? There are some boxes connected to the internet instead... am I right? If that's the case, in those boxes: # your DNAT so requests are forwarded to the web server iptables -t nat -A PREROUNTING blah blah -j DAN --to-destination webServersIP # my SNAT so web requests will (sure as hell) come back this way. iptables -t nat -A POSTROUTING -p pct --dport 80 -j SNAT thisHostsIP Did I nail it? On 1/2/06, Aleksander <aleksander@xxxxxxxxxxxxxxx> wrote: > Edmundo Carmona wrote: > > >Can you SNAT (or masquerade) the requests before they are forwarded to > >the WEB SERVER? That would do the trick (but destroy the statistics > >:-( ) > > > I can't really imagine doing a iptables SNAT (and delete!) for each > connection which is DNAT'ed. And even if that would be possible, be > cause there are several services running the SNATting would fall out of > sync instantly. If that is what you propose. > _______________________________________________ > LARTC mailing list > LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
