It works!!! Nice Christmas gift...thanks to everyone! Iptables is a superb piece of work. Was fine with one NIC. Your first picture below is close, just doesn't show WAN & routers between A & B. To make it work I had to: - echo 1 > /proc/sys/net/ipv4/ip_forward (arrgghh!) - on a WAN router, shut off redirection to a separate web cache server (had no rules for its IP!) - re-create the SNAT I'd tried originally...the 1.2.3.4 box needed to see the source of its http requests as the 10.5.6.7 box in order to reply. So the rules that worked were: # Generated by iptables-save v1.2.5 *nat -A PREROUTING -d 10.5.6.7 -p tcp -m tcp --dport 80 -j DNAT --to-destination 1.2.3.4:80 -A POSTROUTING -d 1.2.3.4 -j SNAT --to-source 10.5.6.7 *filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -d 1.2.3.4 -p tcp -m tcp --dport 80 -j ACCEPT I may play with generalizing this to see if it works for, say, all tcp traffic. This could be handy! Thanks and peace! Paul -----Original Message----- From: "Rob Sterenborg" <rsterenborg@xs4all.nl> To: "Paul" <andnicky@myrealbox.com>, <netfilter@lists.netfilter.org> Date: Tue, 24 Dec 2002 17:20:42 +0100 Subject: RE: Can iptables create alias IP for another box? > No joy yet. > > Have new box B w/fully updated RH 7.3. Uninstalled > ipchains so iptables could run. Added rules shown below > with 8080 changed to 80. Rules are visible in iptables -L -v. > > But when I sniff the client attempting to browse > http://10.5.6.7 from same subnet, it's issuing SYNs with no > reply. Same whether httpd is up/down on 10.5.6.7. Client > can ping both B and A no problem. > > Should netstat -an show listening on 80? Am I missing a If httpd is running on port 80 : yes. If you're checking port 80 on B then it depends if your config is correct. In my situation, when portforwarding failes, nmap says "filtered", otherwise "open". I wouldn't use netstat to check. Use nmap to test host A from host B, do not test host A from host A (or B from B). Always use another host to check. If the client is running linux, check host B from the client with nmap. Now we're at it : do you want to use iptables or a webcache (you're talking about that..) ? > fundamental setting that determines whether linux will > forward packets at all? This box has an eth1 that's You do have "echo 1 > /proc/sys/net/ipv4/ip_forward" ? You could log what's happening using LOG rules, something like : iptables -I FORWARD 1 -j LOG --log-prefix "FWD-check: " > down...would it help to remove it? Or connect it?! I think using 2 nics would be better as each can have it's own subnet... To get a better picture, how are they connected right now ? ----------- ------------ | Host A | | Host B | | 1.2.3.4 | | 10.5.6.7 | ----------- ------------ | | -----------------------.... | ---------- | Client | ---------- Or like this ? ---------------- ------------ | Host B | | Host A | | eth1 ?.?.?.?|----------- | 10.5.6.7 | |eth0 10.5.6.7 | | | | ---------------- | ------------ | | | ----------.... ------------------.... | ---------- | Client | ---------- Rob