I'm trying to wrap my head around some iptables issues with a failover box I'm working on. The failover box has an interface to the outside world, and an interface to each server. I've read every FAQ and HOW-TO I can get my hands on. I wish the archives of this mailing list was searchable... Anyways, I have a few questions: I understand how DNAT works in the prerouting change. You change the destination and out the packet goes to the preferred server. No problemo. But when the packet comes back, the failover box appears to SNAT the packet. I've seen this referred as un-DNATing. It makes perfect sense that due to the client expecting packets back from the address it sent them to that this is required behavior, but can this be turned off or controlled? I just found it odd that this happened with no iptables rules. What's up the the "no filtering" guideline for the PRE and POST routing chains? I'm doing it right now and it seems to work fine, but WHY is this a problem, and how else would I do it? It seems that it would result in a longer ruleset if I had to do this in the FORWARD chain. Is lightning going to strike me down? Thanks! -Jeff ----------------------------------------------------------- Jeffrey Albro | Systems Administrator | Boston University - Department of Electrical and Computer Engineering - jalbro@xxxxxx | Photonics, Room 305 | 617-358-2785 -----------------------------------------------------------
