On Sunday 06 April 2003 06:36 am, Reuven Kohanim wrote: > Hello, > I currently work with ipchains to setup NAT from my > private network to the internet. Before getting to the > MASQ line I had a few forward rules for letting a few > stations to get to a server in my DMZ with their > original IP address intact (i.e. not NATted). I need > to do this to allow those stations to work the > X-protocol with the sever set in my DMZ. > > I have tried to upgrade to iptables. No matter what I > have tried those stations go out with the NAT address. > After having studied the flow charts of how a packet > traverses the chains it seems to me that I am out of > luck and no matter what I do the packet will end up in > the nat table of iptables and therefore its address > will get masqueraded. Am I wrong? Can anyone tell me > how to aviod masquorading those few stations when > working with my server. The SNAT will not do since I > need to preserve their original address. If you need to SNAT other traffic going to the server in the DMZ but NOT SNAT traffic from select sources, you can: iptables -t nat -A POSTROUTING -o $DMZIF -s a.b.c.d -j ACCEPT iptables -t nat -A POSTROUTING -o $DMZIF -s a.b.c.e -j ACCEPT iptables -t nat -A POSTROUTING -o $DMZIF -t SNAT --to $DMZIFIP Obvious substitutions for your environment would apply, but the basic idea is to ACCEPT those particular connections, then SNAT what remains. > If I am not in the correct place for asking this > question I would appreciate it if someone would point > me to the right forum. Precisely the correct place. :^) > Thanks, > Reuven j
