On Tuesday 07 January 2003 03:38 am, 廖琪 wrote: > I have a question when i use the NAT. > > I have two LAN A and B , A is 202.115.60.0/24 and B is 202.115.70.0/24 > . LAN A have a server C which ip is 202.115.60.2, and LAN B have a > server D which ip is 202.115.70.3 , normal, the server C provide the > service, when the server D shutdown, I want use server B provide the > service intead of the server C. I'm not sure where 'server B' came from here... And I'm not sure if I follow what you are really trying to do, maybe because 'server B' confuses things. However: > I think the NAT maybe solve the question . So, I use the DNAT and > SNAT: > > at the netgate of LAN A,do this: > #iptables -t nat -A PREROUTING -s ! 202.115.70.0/24 -d 202.115.60.2 > -j DNAT --to 202.115.70.3 > #iptables -A FORWARD -d 202.115.70.0/24 -j ACCEPT > > at the netgate of LAN B , do this: > #iptables -t nat -A POSTROUTING -s 202.115.70.3 -d ! 202.115.60.0/24 > -j SNAT --to 202.115.60.2 > > but when I check the ip package use tcpdump , I find the SNAT did not > work, the source address of the package from the server D is > 202.115.70.3 , not 202.115.60.2. > > then I do a test. when i send a ping package from the server D, the > source address of the ping > > package change the 202.115.60.2, here the SNAT work well. OK. The SNAT works when the packet originates from server D, but DOESN'T work when the packet comes from D as a reply. I would suspect a DNAT getting reversed, except you say that tcpdump finds the original IP intact. (Where are you checking it?) It seems that the only reason the packet would not match your SNAT rule then is if the destIP doesn't match. (or if an earlier POSTROUTING rule is catching it for some reason) You are checking if the destIP is NOT on LAN A, but the only way packets get DNATted there initially is if they are NOT from LAN B. If this is all internal, and just these two LANs, then this combination doesn't make sense. I'm not sure what your purpose is in this crossover, so I'm having trouble visualizing what you want the packets to do, but if you are sending them to the server on LAN B from clients on LAN A, then you can't use "not LAN A" for return traffic and expect it to match. > ============================================================= > 元旦、情人节不再做孤独人!你还不快来约会? http://dating.163.com/ > 网易俱乐部为你建造一个超级的私人社区! http://our.163.com > 新年有礼! > VIP邮箱也可以免费用! http://vip.163.com/payment/MobilePayment.shtml Just as an aside, I found this message in my SPAM folder instead of my netfilter folder, because ANY email containing 163.com is automatically dumped. (and yours matches six times) 163.com is one of about 80 domain names that are regularly blocked completely by a number of anti-spam products and services. You also match spam filters based on being in an IP block notable for out-of-control spamming. You probably already know this, and probably got automatic bounces like "The mail server you are sending from is listed on an international Blacklist" from several recipients. Googling "spam 163.com" returns about 2000 hits, while "spam vip.163.com" returns about 200. I REALLY hope and pray that you (or the servers in question here) are not involved in spamming, and that I haven't just perhaps actually helped a spammer. Being the recipient of around 300 spams per month, (and an anti-spam activist) that would really nauseate me. If this is NOT the case, I hope you understand and forgive, and consider getting a different email address. (If it IS the case, I won't offend people with what I hope... >;^) I thought about not replying, but decided that wasn't fair to you, as I have no reason to believe you have anything to do with spamming. j
