That is a pretty good solution for the SNAT. I never thought about MASQ. However .... I am not sure if the DNAT is the best solution .... WHat if you had multiple ip numbers on the external card .... More importantly, what about trying to connect directly to the firewall from an external address. ----- Original Message ----- From: "Thorsten Scherf" <tscherf@xxxxxx> To: "Peter Marshall" <peter.marshall@xxxxxxxxx> Cc: <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Friday, September 05, 2003 11:05 AM Subject: Re: Nat with a dynamic IP > >Hi. I was wondering if someone could tell me what a good way is to set up > >DNAT and SNAT on a firewall if the external IP is not static .... > > Do not use SNAT, use Maquerading. You don't have to know your external IP > here: > > iptables -t nat -A POSTROUTING -s $INT_NET -o $EXT_DEV -j MASQ > > DNAT is also very simple, don't specify your external IP in DNAT Rule, just > the Destination Port: > > iptables -t nat -A PREROUTING -p tcp --dport 25 -i $EXT_DEV -j DNAT > --to-destination $SMTP_SERVER > > > Greetings, > > Thorsten Scherf, > RHCE, RHCX > > > >
