Err, I should have mentioned: Linux 2.4.20-8 (RedHat 9.0) iptables v1.2.7a (need anything else?) -Taner On Wed, Apr 02, 2003 at 12:06:38AM -0800, Taner Halicioglu <taner@xxxxxxxxx> wrote: > Hi, I have a somewhat convoluted setup, so I'll try to describe it. > > DSL provider gave me a /29 for my machines > (say, 200.1.1.0/29) > DSL provider also supplied a /30 to go between DSL modem and the DSLAM. > (say, 201.1.1.0/30 - irrelevant here, really) > I am using a random /30 to go between the DSL modem and my firewall > (say, 10.1.1.0/30) > > Here is the visual: > > [ISP] > | > | [201.1.1.0/30 - irrelevant] > | > +------------+ > | DSL router | > +------------+ = 10.1.1.2 > | > | [10.1.1.0/30] > | > +------------------+ eth1 = 10.1.1.1 > | Firewall machine | > +------------------+ eth0 = 200.1.1.1 > | > | [200.1.1.0/29] > | > [INSIDE] > > > For right now, my firewall rules are basiclaly nothing - I pass everything > thru the firewall machine. > > I soon realised that since I'm using a non-routed address for the "outside" > interface of the firewall, I run into issues trying to initiate any > connection from the fw machine, so I added: > > iptables -t nat -A POSTROUTING -o eth1 -s 10.1.1.1 -j SNAT --to-source 200.1.1.1 > > This works for 99% of the traffic sourced on the firewall machine, it seems. > > One thing it DOES NOT work for, is the ICMP (and probably RST - didn't try) > packets that are generated by the REJECT target. These get sourced from the > unroutable address, and since my ISP wisely filters things like that, the > ICMP never makes it to the sender. > > Am I doing something wrong, or is this a bug? > > Thanks, > > -Taner
