On Friday 18 June 2004 5:06 pm, Patrick Leslie Polzer wrote:
> On Fri, 18 Jun 2004 17:45:20 +0200
>
> "Arnauts, Bert" <Bert.Arnauts@xxxxxxxxxxxxxxxxxxx> wrote:
> > Could you please check my config, if I execute this I can not ping my
> > internal lan ip of this host 172.25.239.208 any more. I think this is
> > really wierd.
>
> Why? These lines:
> > $IPTABLES -t nat -A PREROUTING -d 172.25.239.220/27 -j DNAT
> > --to-destination 11.0.0.16
> > $IPTABLES -t nat -A OUTPUT -d
> > 172.25.239.220/27 -j DNAT --to-destination 11.0.0.16
>
> are doing everything to keep ALL packets away from you ;)
> All outgoing packets (statement 2) are redirected to 11.0.0.16
> and all incoming are as well (statement 1)!
> How do you expect ping to work with that? :-O
Good point, but surely a ping packet sent to 172.25.239.220 (let's overlook
the netmask for the time being...) would get redirected to 11.0.0.16, and
provided that machine responds to the ping (and the reply goes back through
netfilter's NAT table) the origianting client might see the reply?
However, I am certainly highly confused by what Bert is trying achieve here -
perhaps the answers to a few questions would help:
1. How many interfaces does the netfilter machine have? What are their IP
addresses?
2. Where is machine 11.0.0.16? How are packets routed to that frm the
netfiler machine?
3. What address are you sending the ping packets from (and to)? How is that
client routed to the netfilter box?
4. What, in simple terms, are you trying to achieve with the two rules which
Patrick has queried above?
Regards,
Antony.
--
"It would appear we have reached the limits of what it is possible to achieve
with computer technology, although one should be careful with such
statements; they tend to sound pretty silly in five years."
- John von Neumann (1949)
Please reply to the list;
please don't CC me.
