I have to correct that line I mentioned below.. it should've been as a previous users post which showed the netmask as 255.255.255.0 (/24) not 255.0.0.0 (/8) , that's if ALL hosts are on a C class network with a A class address.. If they are all on 10.0.0.X/255.255.255.0 and they want to talk to 10.0.0.1 and that machine doesn't exist it'll fail unless: 1. you add the IP to the firewall so it'll respond to the ARP requests and then your rule will work. 2. Add a host route to all machines to go via the firewall even when it has not got that IP.. bloody big job if there's alot of hosts.. and ugly. If the source IP is not 10.0.0.X and the default gateway IS the firewall then it'll work.. but from what your saying about the network structure it won't without some more changes.. Thanks, ____________________________________________ George Vieira Systems Manager georgev@xxxxxxxxxxxxxxxxxxxxxx Citadel Computer Systems Pty Ltd http://www.citadelcomputer.com.au Phone : +61 2 9955 2644 HelpDesk: +61 2 9955 2698 -----Original Message----- From: Shawn [mailto:core@xxxxxxxxxx] Sent: Friday, June 20, 2003 12:42 PM To: George Vieira Cc: netfilter@xxxxxxxxxxxxxxxxxxx Subject: RE: Is this correct? Do you say add 10.0.0.1 to eth0 because you figure I lack an external routing reference making packets arrive at my host? Come to think of it, there probably wouldn't be a router that could do that in my scenario. Sorry if I was confusing. It's probably more accurate to say that some host "10.23.4.209" is going to try to reach 10.0.0.1, and 10.0.0.250 is the last hop on the way there. Now does that sound better? On Thu, 2003-06-19 at 17:10, George Vieira wrote: > The only way I know of to do that is use iproute2 (or ifconfig) and add that IP to the firewalls eth0 device and fix your rule (lowercase J). > > ip addr add 10.0.0.1/8 dev eth0 > iptables -t nat -I PREROUTING -i eth0 -d 10.0.0.1 -j DNAT \ > --to 192.168.0.1 > > I think that'll work OK.. > > Thanks, > ____________________________________________ > George Vieira > Systems Manager > georgev@xxxxxxxxxxxxxxxxxxxxxx > > Citadel Computer Systems Pty Ltd > http://www.citadelcomputer.com.au > > Phone : +61 2 9955 2644 > HelpDesk: +61 2 9955 2698 > > > -----Original Message----- > From: Shawn [mailto:core@xxxxxxxxxx] > Sent: Friday, June 20, 2003 7:07 AM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Is this correct? > > > I have a, iptables statement I would just like someone to say if I have > it right. > > Let's say I have a linux box with eth0=10.0.0.250 and > eth1=192.168.0.250, and there's a host (192.168.0.1) connected to eth1. > I want to route connections from hosts in 10.0.0.0/24 land to 10.0.0.1 > onto the linux box's eth0, and have them NATed to 192.168.0.1 > > Will the following statement do that? > > iptables -t nat -I PREROUTING -i eth0 -d 10.0.0.1 -J DNAT \ > --to 192.168.0.1 > > >
