Matthew: Thanks for responding.... > I'm not exactly sure I understand your network setup, but in > a more typical setup one normally SNAT's all connections > going out the external interface (because everything behind > the firewall is "private"). > > You seem to be saying that you are receiving packets with > private source addresses on the "external" interface of your > linux box and that these packets are destined for the > Internet? Why would you Linux box be receiving these packets > for routing? It doesn't seeem like it should be in the routing path. You're right, This isn't typical. I have my WAN lines terminating at my ISP. They in turn forward these packets to me via the aDSL line. That's the whole problem. Because the Linux box "sees" them as being bound for another destination (the Internet in this case), The machine just forwards them along without modifing them (i.e. leaving the source address is unmodified) and my ISP's routers then kill these packets for being like this. The funny thing about this is: I've got a MS Proxy Server 2.0, that's doing the natting for me now. So it is possible - somehow. I think I need to somehow tell my Linux machine that the packets with the 10.200.9.x and 10.200.10.x source addresses should be NATted as they leave the routing process, but I can't get this done. I grant you my knowledge of Linux and IPTABLES is weak, which is why (after a week of pulling teeth) I've posed the problem the list. I've got this command in my script: iptables -t nat -A POSTROUTING -o EXTIF -j SNAT --to-source EXTIP Which (the way I read it) should NAT ALL packets going OUT across the external interface. But I think what's happening is ONLY the packets coming from the Linux box ir it's internal interface is getting natted (which would be typical). But I need to "tell" Linux that the other subnets NEED the NATting as well. Is that possible? I've also tried this: iptables -t nat -A POSTROUTING -o EXTIF -j SNAT --to-source EXTIP iptables -t nat -A POSTROUTING -s 10.200.9.0/24 -o EXTIF -j SNAT --to-source EXTIP iptables -t nat -A POSTROUTING -s 10.200.10.0/24 -o EXTIF -j SNAT --to-source EXTIP And that didn't work either. Kevin > > ----- Original Message ----- > From: "Kevin L. Collins" <kcollins@qx.net> > To: <netfilter@lists.samba.org> > Sent: Sunday, December 08, 2002 7:57 PM > Subject: FW: Trying to get a Subnet NATted > > > > First I want to appologize if this makes it to the list more than > > once, I've been having trouble joinging the list. > > > > I've got a strange situation where I receive data from my WAN links > > across the same Interface as my External Interface. > > > > Let me try to explain it with ACSII art.... > > +--------------+ > > | WAN | > > |10.200.9.x/24 | > > |10.200.10.x/24| > > +------+-------+ > > | > > aDSL > > | > > +------+------+ > > |Real Internet| > > | Subnet | > > | eth0 of | > > | Linux Box | > > +-------------+ > > > > I need to be able to bring the packets from the WAN subnet and then > > "SNAT" them to allow them to go back out on to their final Internet > > Destination. As it stands right now, the Linux machine is simply > > routing them through to the Default Gateway and my ISP's router is > > killing the packets because they are "improper" as they have a > > destination address in the Private LAN subnets. > > > > What I would to do is have IPTABLES apply the SNAT > arrangement that I > > have configured for my Internal LAN. Is this even > possible? And if > > so, how would I go about doing it? I've tried several > things over the > > past week tro make it happen, but nothing is working. I > think I have > > to do something BEFORE the routing takes place, but I'm not > sure what. > > ANY help would be GREATLY appreciated. > > > > Kevin L. Collins, MCSE > > Systems Manager > > Nesbitt Engineering, Inc. > > > > > > > > >
