On Tuesday 28 January 2003 11:04 pm, Jet wrote: > Hi, > > > To get packets NATed as you want them to, they have to reach > > PREROUTING chain on the firewall. That means when access router > > wants to forward theses packets, it must get an ARP reply for their > > destination IP. If NATed IPs were not aliased on firewall, then > > nobody would answer access router's ARP requests, and connections > > would not get established. > > I don't totally agree on this. How about POST ROUTING? > > > The only thing you have to keep in mind is that packets you want to > > NAT have to reach the firewall. As they're not destined to, you have > > to force them a bit ;) > > Can anyone explain why we don't have to do the same for POSTROUTING? At POSTROUTING the packet is already IN the firewall box, and is about to pass back out. The issue mentioned above is trying to get an access router to recognize that the box is an appropriate destination for a given packet, so that the packet will be sent to it to begin with. If and when it does so, the packet first appears in the PREROUTING chain(s). j > - Jet
