This is not right, DNAT only changes the Destination (Address Translation) of the packet. The source is left the same unless you have a rule in your POSTROUTING on the DMZ nic which changes it's source to the firewall which is usually required when the NAT webserver is on the same network as a workstation (ie. workstation on DMZ trying to browse webserver on external address) which then you must NAT the source. can you provide all the rules for the NIC and EXTERNAL NIC? change the Ext addy if you should. -----Original Message----- From: Richard Whittaker [mailto:RWHITTAKER@xxxxxxxx] Sent: Saturday, May 24, 2003 6:29 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: NetFilter DMZ question... Greetings: We have a webserver living in a DMZ, and I have the following rule setup to allow this: /usr/sbin/iptables -A PREROUTING -t nat -i eth1 -p tcp -d 199.85.228.1 --dport 80 -j DNAT --to 192.168.70.3:80 Unfortunately, the web server only sees the IP address of the interface, not the source IP address, which kinda messes with our statistical programs, since the only address the web server "sees" is the same one over, and over... Is there any way to present the web server with the "real" address, or should it be be already?.... Thanks, Richard... Richard Whittaker, CISSP System Manager NorthwesTel Inc. Whitehorse, YK (867) 393-7756
