On Thursday 20 May 2004 3:37 pm, O-Zone wrote:
> On Thursday 20 May 2004 15:22, Antony Stone wrote:
> > You need to make sure that the reply packets go back through the
> > firewall, as well as the forward packets. The easiest way to do this is
> > by adding a SNAT rule so that as far as the destination server is
> > concerned, the packets came from the firewall, not the real client, and
> > therefore the server sends the replies back to the firewall (which then
> > reverse-NATs them and returns the replies to the original client
> > machine).
> >
> > Therefore in your case something such as:
> >
> > iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -d 192.168.0.0/24 -j
> > SNAT --to 192.168.0.1
>
> But, i think, i need to add other rules because the original connection
> came from 192.168.0.x to 151.8.47.x, right ?
Yes, but that destination address has already been changed by your PREROUTING
rule, and is now 192.168.0.0/24 - that's the whole point. If the
destination address had not been changed (ie: if the client had contacted the
server's real IP address instead of a pretend one), you wouldn't need to
change the source address as well.
If you think you need other rules, please explain what they would be and why
they are needed - it's entirely possible I have missed something about your
setup.
Regards,
Antony.
--
The truth is rarely pure, and never simple.
- Oscar Wilde
Please reply to the list;
please don't CC me.
