Hi Use SNAT on the POSTROUTING chain in the NAT table. iptables -t nat -A POSTROUTING -d $NET_DMZ -j SNAT --to-source $IP_DMZ_IFACE also you would need a FORWARD rule to route the initial traffic: iptables -A FORWARD -d $NET_DMZ -j ACCEPT These are the least restrictive examples of possible rules. The above assumes you have public ips in your DMZ. Ray On Fri, 2002-12-06 at 18:41, Jason Liao wrote: > Hi, > > I have a firewall running iptables with 3 interfaces: LAN, WAN and DMZ. > The LAN IP address is 10.0.0.1/24, WAN 66.134.34.157/28, and DMZ > 66.134.34.249/28. The WAN interface connects to the Internet and the > DMZ interface connects to a stub network. > > When someone sends a packet to the IP address of the DMZ interface from > the Internet, the packet x.x.x.x->66.134.34.249 arrives at the WAN > interface. I want to know if there is a way using iptables (maybe with > other tools such as iproute2) to make this packet to appear as if it > arrives at the DMZ interface. The packet itself should not be > modified. I need this to work because I am running an IPSec VPN with > FreeS/WAN on the DMZ interface. When the ESP packets arrives on the WAN > interface, they cannot be properly processed by IPSec because the ipsec0 > interface is tied to the DMZ interface directly. > > I looked at the mangle table but could not figure out if it is the right > direction. I read about the ROUTE target but do not know if this target > is for diverting packets to be sent OUT on another interface, or can it > be used to change a packet's arriving interface. > > Thanks in advance. > > Jason Liao -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ( Raymond Leach ) ) Knowledge Factory ( ( ) ) Tel: +27 11 445 8100 ( ( Fax: +27 11 445 8101 ) ) ( ( http://www.knowledgefactory.co.za/ ) ) http://www.saptg.co.za/ ( ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o o o o .--. .--. | o_o| |o_o | | \_:| |:_/ | / / \\ // \ \ ( | |) (| | ) /`\_ _/'\ /'\_ _/`\ \___)=(___/ \___)=(___/
Attachment:
signature.asc
Description: This is a digitally signed message part
