On Mon, 2003-09-15 at 15:31, Cedric Blancher wrote: > Le lun 15/09/2003 à 15:09, Ray Leach a écrit : > > I think that the aliases on the interface have something to do with it. > > Nope. > When you DNAT an IP address that does not belong to your DNATing box, > there won't be anybody to answer prior router ARP requests on it, unless > you either set an alias up or tell this router that the IP as to get > routed through the DNATing box. > > > I have had to add input and output rules in some situations to get DNAT > > to work the way it is supposed to (redirect to a different destination). > > It is strange. > > Yes it is. I can get DNAT working without specifying any INPUT or OUTPUT > chain. Can you illustrate a situation for which you have to specify > INPUT and OUTPUT rules ? Sure. My firewall machine currently has 5 NICs, each with their own ip (one has a public ip - eth0) eth0 has the public ip. It also has 10 alias ips. eth1 has a private ip of 192.168.1.1. eth1 network is my dmz with all the web servers from 192.168.1.165 to 192.168.1.173. If I want to DNAT incoming traffic destined to on of the aliases bound to interface eth0 to a server in the dmz - eth1 192.168.1.165 (for example), then I need : - a PREROUTING DNAT rule - a FORWAORD rule for each direction (eth0 -> eth1 and eth1 -> eth0) - and an INPUT rule for eth0 alias ip. Does that make sense? If I remove the INPUT rule, my DNAT does not work, the packets get sent to the OUTPUT chain ... Ray -- -- Raymond Leach <raymondl@xxxxxxxxxxxxxxxxxxxxxx> Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 --
Attachment:
signature.asc
Description: This is a digitally signed message part
