On Fri, Apr 11, 2003 at 09:55:49AM +0200, Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote: > > Hi, I have a somewhat convoluted setup, so I'll try to describe it. > > > > DSL provider gave me a /29 for my machines > > (say, 200.1.1.0/29) > > DSL provider also supplied a /30 to go between DSL modem and the DSLAM. > > (say, 201.1.1.0/30 - irrelevant here, really) > > I am using a random /30 to go between the DSL modem and my firewall > > (say, 10.1.1.0/30) > > [...] > > I soon realised that since I'm using a non-routed address for the "outside" > > interface of the firewall, I run into issues trying to initiate any > > connection from the fw machine, so I added: > > > > iptables -t nat -A POSTROUTING -o eth1 -s 10.1.1.1 -j SNAT --to-source 200.1.1.1 > > > > This works for 99% of the traffic sourced on the firewall machine, it seems. > > > > One thing it DOES NOT work for, is the ICMP (and probably RST - didn't try) > > packets that are generated by the REJECT target. These get sourced from the > > unroutable address, and since my ISP wisely filters things like that, the > > ICMP never makes it to the sender. > > If I understand your setup and the problem correctly, you mean that you > REJECT requests targeted to the firewall itself and the reject packets > contain the private address of the firewall as source address. > > But how packets can reach the private address of your firewall? No, the problem is that when the firewall machine REJECTs any packets in a FORWARD chain (ie, anything I am blocking that is destined to the network behind it), the source IP of the ICMP UNREACH (or evn the RST packets) is that of the *outside* interface - the unroutable address. It seems the POSTROUTING is not performed on the ICMPs that are created by the actual host. Is there any way around this? -T
