Hi, On Wed, 2 Apr 2003, Taner Halicioglu wrote: > Hi, I have a somewhat convoluted setup, so I'll try to describe it. > > DSL provider gave me a /29 for my machines > (say, 200.1.1.0/29) > DSL provider also supplied a /30 to go between DSL modem and the DSLAM. > (say, 201.1.1.0/30 - irrelevant here, really) > I am using a random /30 to go between the DSL modem and my firewall > (say, 10.1.1.0/30) > > Here is the visual: > > [ISP] > | > | [201.1.1.0/30 - irrelevant] > | > +------------+ > | DSL router | > +------------+ = 10.1.1.2 > | > | [10.1.1.0/30] > | > +------------------+ eth1 = 10.1.1.1 > | Firewall machine | > +------------------+ eth0 = 200.1.1.1 > | > | [200.1.1.0/29] > | > [INSIDE] > > > For right now, my firewall rules are basiclaly nothing - I pass everything > thru the firewall machine. > > I soon realised that since I'm using a non-routed address for the "outside" > interface of the firewall, I run into issues trying to initiate any > connection from the fw machine, so I added: > > iptables -t nat -A POSTROUTING -o eth1 -s 10.1.1.1 -j SNAT --to-source 200.1.1.1 > > This works for 99% of the traffic sourced on the firewall machine, it seems. > > One thing it DOES NOT work for, is the ICMP (and probably RST - didn't try) > packets that are generated by the REJECT target. These get sourced from the > unroutable address, and since my ISP wisely filters things like that, the > ICMP never makes it to the sender. If I understand your setup and the problem correctly, you mean that you REJECT requests targeted to the firewall itself and the reject packets contain the private address of the firewall as source address. But how packets can reach the private address of your firewall? Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary