Le mer 09/04/2003 à 11:51, Philippe Dhont (Sea-ro) a écrit : > I added > $IPTABLES -t nat -A POSTROUTING -j SNAT --to-source 10.165.165.165 > Now when i ping from 10.51.13.13 on eth0 side to 10.165.1.60 then i can see > via tcpdump that on eth1 the 10.165.1.60 is seeking the 10.165.165.165 > "arp who-has 10.165.165.165 tell 10.165.1.60" is what i get. > So i guess that this means that iptables changed the address ? As far as I understand your configuration, eth0's side is NATed when talking to eth1's side. If so, yes, Netfilter as already changed the address. That's obvious. Your echo request has crossed the box, and has been source NATed to 10.165.165.165. Then 10.165.1.60 receive it and tries to reply. It replies to 10.165.165.165. Nothing special in there, everything's normal. But on eth1's side, nobody answers ARP requests for 10.165.165.165. So you did not configured your firewall to answer them. That's the issue. > So the firewall doesn't knows that it converted the ip number before and > can't send a reply to the correct ip address where it originally came from He knows about this. But it is not its job to answer ARP requests. It's your job to configure it as such. > How can i make this work so that if i ping to 10.165.1.60 that i can get a > reply ? ip addr add 10.165.165.165 dev eth1 So your firewall answers ARP requests for 10.165.165.165. > AND that the NAT thing did its work ? It did it well. -- Cédric Blancher <blancher@xxxxxxxxxxxxxxxxxx> IT systems and networks security - Cartel Sécurité Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
