On Tue, 7 Oct 2003, Ramin Dousti wrote: > Can you see response packets on C1 being 172.17.0.3 (by tcpdump)? > What you say is strange because the application on C would see > packets like a.b.c.d -> 1.1.1.1 and if the application which is > supposed to reply back is listening on 1.1.1.1 (alias address) then > the response will have 1.1.1.1 with no need to SNAT. Box C is sending responses out the correct interface, with the correct destination address, but the source address is 172.17.0.3. This is why I thought I needed an SNAT (although it's probably more likely that I just need to beat the application and make it only bind to 1.1.1.1, then it should only use that for replies). What I'm using to test, right now, is sshd. However, by default, sshd listens on *, so, that may be a factor. I'm going to go find this out. However, in the meantime, I just wanted to pick the brains of someone more knowledgeable in iptables/netfilter than I - I've never used iptables, beyond some very very simple masquerading before. Thanks! -j
