RE: nat no traffic returns

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>You should add an SNAT rule, so your inside box is able to answer to the 
>outside connection from privat IP (10.0.0.112). 
This is not neccessary true, this isn't a requirement until the 10.0.0.112 machine needs to make the first move and make an outgoing connection (SYN), only then you would need SNAT. DNAT connections should be handled fine with ip_conntrack.

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@xxxxxxxxxxxxxxxxxxxxxx

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

 

-----Original Message-----
From: Szabo Nandor [mailto:medve@xxxxxxxxxx]
Sent: Wednesday, May 21, 2003 7:49 PM
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: nat no traffic returns


B. van Ouwerkerk writes: 

> This one is really starting to get me. 
> 
> I have worked with iptables before without connections started from the 
> outside. In this case I need to allow connection from the outside to go to 
> a box on the inside. 
> 
> I was under the impression that a rule like: 
> 
> iptables -t nat -A PREROUTING -i eth0 -p tcp -d public_ip --dport 3389 -j 
> DNAT --to 10.0.0.112:3389 
> 
> would send the incoming packets to the inside box. And that: 
> 
> iptables -A FORWARD -i eth1 -o eth0 -s 10.0.0.112 -j ACCEPT
> or
> iptables -A FORWARD -i eth1 -j ACCEPT 
> 
> Should send any reply from the inside box to the world.
> But it isn't happening :(

You should add an SNAT rule, so your inside box is able to answer to the 
outside connection from privat IP (10.0.0.112). 

#iptables -A POSTROUTING -s 10.0.0.112 -o eth0 -j SNAT --to-source public_ip 

Nandor Szabo 




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux