By the way, for my case, do I also need to add this rule: iptables -t nat -A POSTROUTING -o eth0 -s 10.1.1.2 --j SNAT --to 1.1.1.2 ..etc.. Regards Patrick --- Jason Opperisano <opie@xxxxxxxxxxx> 內容: > On Thu, 2004-09-23 at 23:24, Patrick Dung wrote: > > Dear All > > > > This is what I want: > > > > eth0 as internet (1.1.1.1) > > eth1 as dmz (10.1.1.1) > > > > dmz has a web (10.1.1.2) and dns (10.1.1.3) server > > with private IP. > > The netfilter fw will do the static IP (public to > > private) IP mapping. > > Avaliable public IP (example): > > 1.1.1.1 (eth0), 1.1.1.2 (for web), 1.1.1.3 (for > dns) > > > > Now I have these rules: > > > > iptables -t nat -A PREROUTING -i eth0 -d 1.1.1.2 > -p > > tcp --dport 80 -j DNAT --to 10.1.1.2:80 > > iptables -t nat -A PREROUTING -i eth0 -d 1.1.1.3 > -p > > udp --dport 53 -j DNAT --to 10.1.1.3:53 > > > > The problem is that there is no response from > 1.1.1.2 > > and 1.1.1.3. > > Do I need other special setting (proxy arp?) > > yup. on netfilter machine: > > ip address add 1.1.1.2 dev eth0 > ip address add 1.1.1.3 dev eth0 > > remember to use 10.1.1.[23] in your filter rules > and not 1.1.1.[23]. > > -j > > -- > Jason Opperisano <opie@xxxxxxxxxxx> > > > _________________________________________________________ 必殺技、飲歌、小星星... 浪漫鈴聲 情心連繫 http://us.rd.yahoo.com/evt=22281/*http://ringtone.yahoo.com.hk/
