RE: NetFilter DMZ question...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is not right, DNAT only changes the Destination (Address Translation) of the packet.
The source is left the same unless you have a rule in your POSTROUTING on the DMZ nic which changes it's source to the firewall which is usually required when the NAT webserver is on the same network as a workstation (ie. workstation on DMZ trying to browse webserver on external address) which then you must NAT the source.

can you provide all the rules for the NIC and EXTERNAL NIC? change the Ext addy if you should.

-----Original Message-----
From: Richard Whittaker [mailto:RWHITTAKER@xxxxxxxx]
Sent: Saturday, May 24, 2003 6:29 AM
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: NetFilter DMZ question...


Greetings:

We have a webserver living in a DMZ, and I have the following rule
setup to allow this:

/usr/sbin/iptables -A PREROUTING -t nat -i eth1 -p tcp -d 199.85.228.1
--dport 80 -j DNAT --to 192.168.70.3:80

Unfortunately, the web server only sees the IP address of the
interface, not the source IP address, which kinda messes with our
statistical programs, since the only address the web server "sees" is
the same one over, and over... Is there any way to present the web
server with the "real" address, or should it be be already?....

Thanks,
Richard...


Richard Whittaker, CISSP
System Manager
NorthwesTel Inc.
Whitehorse, YK
(867) 393-7756





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux