if your webserver is your firewall box, DNAT is not necessary. just the input rule is enough. eg eth1 isp1 eth2 isp2 iptables -P INPUT DROP iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -m state --state NEW -p --dport 80 -j ACCEPT and thats it ----- Original Message ----- From: "Sandy T. Santos" <sandy@xxxxxxxxxxxxxx> To: <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Saturday, January 24, 2004 12:35 AM Subject: nat on multihomed server > our campany has two internet links from different isp's. we then use both > of these to host the company's webserver. what i want is that the > webserver maybe accessible by coming from my isp1 link or my isp2 link. i > know that i need to set up my dns to have two ip addresses that points to > my linux box and then DNAT that connection towards my webserver. what i > don't know is what's the iptables script gonna look like for the SNAT > reply. how would i be able to determine that the request that came in to > my webserver originated from my isp1 or isp2 link so that the reply would > be SNAT'ed to that interface? > > should i just make two SNAT that replies to the request irregardless of > the destination address? ex. iptables -t nat -A POSTROUTING -s 192.168.x.2 > --sport 80 -j SNAT --to-ip (ip facing isp1) and iptables -t nat -A > POSTROUTING -s 192.168.x.2 --sport 80 -j SNAT --to-ip (ip facing isp2) > > other suggestions are welcome. > > -- > Sandy T. Santos <sandy@xxxxxxxxxxxxxx> > Provincial Information Technology Office > Provincial Government of Bulacan > Malolos, Philippines > > >
