I think I answered my own question. I was able to SNAT on connections that were directed toward an internal server using this command: iptables -t nat -A POSTROUTING -o $DMZ_DEV -j SNAT --to $DMZ_IP So, when a packet for port 80 comes into the firewall, it is redirected toward a server in the DMZ. Then, SNAT is used so the responses back from the web server come back out through the current gateway instead of the gateway used by the DMZ server. I apologize for finding out on my own what should have been obvious from the start. -jph Joe Haynes said: > Hello to the list. > > I apologize if this subject has been covered > elsewhere, but I have yet to locate instructions > on how to to this (redirections to appropriate > sites would be much appreciated). > > Our network is currently attached to the internet via > a wavelan link (with a dedicated IP). We are transitioning > over to a T-1 line that has a new IP address. > > What we would like to do is run a gateway off each single > external address and redirect specific ports to a single > internal server (we want to run both while we wait for > DNS updates). > > Currently, we redirect port 80 on our external IP to an internal > webserver (also on port 80) using this line: > $IPT -t nat -A PREROUTING -i $INTERNET_DEV -d $INTERNET_IP -p tcp > --dport 80 -d $INTERNET_IP -j DNAT --to 192.168.1.5 > > We'd like to do the same thing off the new gateway that's > linked to the T-1 line. > > The problem I've run into is the responses that have come > through the new gateway end up getting sent back out > the old gateway. > > Is there a way to redirect packets to the internal server using > PREROUTE and then change the source addresses using POSTROUTE so > the responses from the internal server come back through > the correct gateway? > > Thank you, > > Joe Haynes > Helena Montana
