On Mon, 2004-06-14 at 10:35, Arnauts, Bert wrote: > Hello all, > > I want to DNAT some machines in another subnet. > The target machines have ip's like 11.0.0.x/24 > > My available lan ip's are 172.239.239.x/27 (255.255.255.224) > > These are my rules. Wich are apparently not working. > I created virtual interfaces on eth1, one for each DNAT'ed ip. > > What am I missing ? Forget about normal tables stuff, I only want this > machine to do DNAT. > > Thx, > > > INET_IP="172.25.239.208" > INET_IFACE="eth1" > INET_BROADCAST="172.25.239.223" > LAN_IP="11.0.0.1" > LAN_IP_RANGE="11.0.0.0/24" > LAN_IFACE="eth0" > LO_IFACE="lo" > LO_IP="127.0.0.1" > IPTABLES="/sbin/iptables" > echo "1" > /proc/sys/net/ipv4/ip_forward > $IPTABLES --flush > $IPTABLES --table nat --flush > $IPTABLES --delete-chain > $IPTABLES --table nat --delete-chain > $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source > $INET_IP > $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT > $IPTABLES -t nat -A PREROUTING -d 172.25.239.220/255.255.255.224 -j > DNAT --to 11.0.0.9 Now that I look at it while awake :-), that last rule looks a bit strange. Do you mean -d 172.25.239.220/255.255.255.255 or 172.25.239.192/255.255.255.224? I believe iptables is looking for the base address of the network when used with a subnet mask and not the node address. -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@xxxxxxxxxxxxx --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net
