On Thursday 20 May 2004 1:54 pm, O-Zone wrote: > On Thursday 20 May 2004 14:30, Antony Stone wrote: > > > It's the reply packets which are the problem. > > > > http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-10.html > > i've read that manual but i't not so clear. It say to do a: > > # iptables -t nat -A POSTROUTING -d 192.168.1.1 -s 192.168.1.0/24 \ > -p tcp --dport 80 -j SNAT --to 192.168.1.250 > > but can't understand what it say for 192.168.1.250. As in my config, i've > write down that rule: > > $IPTABLES -t nat -A POSTROUTING -d 151.8.47.B -s 192.168.0.0/24 -p tcp -j > SNAT - --to 192.168.0.1 > > ...where 192.168.0.1 is the DMZ interface of ROUTER. It don't work. Where's > the error ? You need to make sure that the reply packets go back through the firewall, as well as the forward packets. The easiest way to do this is by adding a SNAT rule so that as far as the destination server is concerned, the packets came from the firewall, not the real client, and therefore the server sends the replies back to the firewall (which then reverse-NATs them and returns the replies to the original client machine). Therefore in your case something such as: iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -d 192.168.0.0/24 -j SNAT --to 192.168.0.1 should do the trick. The above rule matches packets coming from an internal client (-s 192.168.0.0/24) and going to an internal server (-d 192.168.0.0/24), and forces the source address to be that of the firewall (192.168.0.1) so the replies go back by the same route. Regards, Antony. -- The difference between theory and practice is that in theory there is no difference, whereas in practice there is. Please reply to the list; please don't CC me.
