> on A: > > # iptables -t nat -A PREROUTING -d 1.1.1.1 -p tcp --destination-port 80 \ > -j DNAT --to-destination 2.2.2.2:8000 > > Redirects packets destined for 1.1.1.1 port 80 to 2.2.2.2 port 8000. This > is a way to 'tag' the packets (I opted against using any TCP options, as > routers/firewalls along the way may play with said options). > > on B: > > # iptables -t nat -A POSTROUTING -s 2.2.2.2 -p tcp --source-port 8000 -j \ > SNAT --to-source 1.1.1.1:80 > I don't understand this rule. Do you really need this? The the nating of the the packets going back is done on A. Doesn't this rule break the nating of packets going back to A as they do not have the source address and port expected by a (the 2.2.2.2 and the port 8000)? Regards, Andreas
