Your description describes exactly what is happening far better than mine did. I am trying to do source routing so that all packets from 203.x.x.x go out on the same line as they came in on. Which is not via the default route for outgoing packets. To give an example eth0 is connected to routers A and B. The default route is to go out via router A. Packets destined for 203.x.x.x will come in via router B so the return packets need to go out via router B. When the routing decision is made the return packets have a source address of: 192.168.0.1 so they get routed via router A, then in post routing they get unNATed to a 203.x.x.x address. Thus DNAT of incoming connections cannot be used with source routing. Tim > -----Original Message----- > From: George Vieira [mailto:georgev@xxxxxxxxxxxxxxxxxxxxxx] > Sent: 23 May 2003 10:19 > To: Tim Saunders; netfilter@xxxxxxxxxxxxxxxxxxx > Subject: RE: UnNATing return packets > > > Sorry, I can't understand your english explanation. > > When the packets come in off the internet it hit the EXTernal > DEVice which the PREROUTING table converts the EXTernal > DESTination address to the INTernal DEVices DESTination > servers IP address.. > > EXTDEV=eth0 > DESTIP=203.x.x.x.x > INTIP=192.168.0.1 > > iptables -A PREROUTING -t nat -i $EXTDEV -d $DESTIP -p tcp > --dport 80 -j DNAT --to $INTIP > > it changes it at the PREROUTING because the routing table > won't know where 203.x.x.x is, but if it's changed before > routing then routing will know that 192.168.0.1 is inside on > eth1 and pass through the FORWARD chain and out via eth1. > > Having said that, going out is the same thing except it's POSTROUTING. > > So 192.168.0.1 responds to the packet and goes into eth1 > which then passes through FORWARD and into POSTROUTING which > then says "hey 192.168.0.1 can't go out onto the net like > that" and translates it to the IP which matches the > ip_conntrack table that the original packets wanted to reach > ie. $DESTIP > > this makes perfect sense.. > > If you can detail what your problem is a bit like about it'll > help me more to help you.. ;) I hope the above didn't bore > you either.. ;)) > > -----Original Message----- > From: Tim Saunders [mailto:Tim.Saunders@xxxxxxxxxxxxxx] > Sent: Fri 23-May-03 5:49 PM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Cc: > Subject: RE: UnNATing return packets > > > > >
