> > > Well, DNAT is normally used to map externally-accessible public IPs to > > > real internal systems on non-routable 10.x.y.z, 172.16.a.b or 192.168.c.d > > > addresses, therefore the problem never arises (since people across the > > > Internet can't send packets to the real private addresses even if they > > > knew what they were). > > > > > > There isn't a "better" way to redirect traffic to other IP addresses, > > > however why do you think it's a problem for people to use the "real" > > > address instead of the one you're telling them to use. They have access > > > to the machine, so why does it really matter which address they use to > > > connect to it? > > > > The problem is that many hosts, with this setup, actually is connected to > > the internet using a public ip, and beeing able to resolve internal > > ip-information is not good. > > Now I'm confused. (Easily done...) > > Were the 192.168.x.y addresses you gave in your original posting accurate, or > just examples, and you are now saying that the source machines are actually > systems out on the Internet somewhere with real public IPs? > > Please clarify - who are you worried about discovering the real internal IP > addresses of your machines, and where are they located on the network? Can > they really send packets to the private IP address as you outlined in your > original posting? > > My expectation is that people "out on the Internet" cannot connect to your > private IPs (because the addresses are non-routable), therefore the question > doesn't arise for them. People associated with your local network (ie: > inside your connection point to the Internet) surely aren't a problem even if > they do discover the real private IP address? Or am I missing something > here about what you are trying to secure from whom? > > Hope that's clear.... > > Regards, > > Antony. > Well, the setup is used on a number of hosts located in a number of different environments. Some have public ip's, some don't. > inside your connection point to the Internet) surely aren't a problem even if > they do discover the real private IP address? Or am I missing something That just true in a very simple setup. If different people/compagnies are sharing a "backbone" (using maybe 192.168.1.0 as the lan behind a commen internet router) the problem is maybe not an internet problem, but an "internal" problem. Should one trust all the other compagnies on the backbone, of course not. So the general rule is ALWAYS to stop any leaking if it's possible. I have solved the problem by always running a second -j DROP rule in the PREROUTING chain (as you suggested). Bo
