hi all, first of all: iptables is really great. please email me to this address: jpraher@yahoo.de, since I am not a member of this list. I have the following scenario: * firewall * internal web server the firewall has the public address of the server and forwards only port 80 to the server on the internal address. now for the internal server, I still want to be able to download things from the web, so I decided to do masquerading for ther internal server. but somehow the internal server can't connect to external sites, that means it does not receive any answers. (this might be, as I have a tight forwarding policy between the nets ) my questions are: * is there a problem when doing DNAT and SNAT for the same host? * is the following right: the firewalls forward chain gets the SNATTED request as an internal one (since SNAT happends at postrouting ? ) - but how does it get the results back, does the POSTROUTING change the incoming (the answer to an SNATted ) packet before it get's in the forward queue? to illustrate it: outgoing packet: dest addr: a.b.c.d source addr: 10.1.1.100 1) forward nothing changed (routing deciscion is made with 10.1.1.100) 2) postrouting dest addr: a.b.c.d source addr: MASQUERADED incoming request source addr: a.b.c.d dest addr: MASQUERADED *** when is it written back to 10.1.1.100 ** ? *** does the forward quere see MASQUERADED or 10.1.1.100 *** this is important for me, as I have to know what I should allow in the forward chain to allow MASQUERADING ... thanks -- Jakob
