On Thu, 2004-09-23 at 23:24, Patrick Dung wrote: > Dear All > > This is what I want: > > eth0 as internet (1.1.1.1) > eth1 as dmz (10.1.1.1) > > dmz has a web (10.1.1.2) and dns (10.1.1.3) server > with private IP. > The netfilter fw will do the static IP (public to > private) IP mapping. > Avaliable public IP (example): > 1.1.1.1 (eth0), 1.1.1.2 (for web), 1.1.1.3 (for dns) > > Now I have these rules: > > iptables -t nat -A PREROUTING -i eth0 -d 1.1.1.2 -p > tcp --dport 80 -j DNAT --to 10.1.1.2:80 > iptables -t nat -A PREROUTING -i eth0 -d 1.1.1.3 -p > udp --dport 53 -j DNAT --to 10.1.1.3:53 > > The problem is that there is no response from 1.1.1.2 > and 1.1.1.3. > Do I need other special setting (proxy arp?) yup. on netfilter machine: ip address add 1.1.1.2 dev eth0 ip address add 1.1.1.3 dev eth0 remember to use 10.1.1.[23] in your filter rules and not 1.1.1.[23]. -j -- Jason Opperisano <opie@xxxxxxxxxxx>
