I went back to the sample source and changes a couple little items to march how they had it. It still fails for each internel request for the external ip with the exception of the firewall itself. ping 206.17.98.52 from machine 206.17.98.60 results in a return from 192.168.0.52. #Incoming Maps [0:0] -A PREROUTING -d 206.17.98.51 -j DNAT --to-destination 192.168.0.51 [0:0] -A PREROUTING -d 206.17.98.52 -j DNAT --to-destination 192.168.0.52 ... [0:0] -A PREROUTING -d 206.17.98.62 -j DNAT --to-destination 192.168.0.62 #Outgoing Maps [0:0] -A POSTROUTING -d 206.17.98.51 -j SNAT --to-source 192.168.0.51 [0:0] -A POSTROUTING -d 206.17.98.52 -j SNAT --to-source 192.168.0.52 ... [0:0] -A POSTROUTING -d 206.17.98.62 -j SNAT --to-source 192.168.0.62 [0:0] -A POSTROUTING -o eth0 -j SNAT --to-source 206.17.98.50 #************************************************************ [0:0] -A OUTPUT -d 192.168.0.51 -j DNAT --to-destination 206.17.98.51 [0:0] -A OUTPUT -d 192.168.0.52 -j DNAT --to-destination 206.17.98.52 ... [0:0] -A OUTPUT -d 192.168.0.62 -j DNAT --to-destination 206.17.98.62 I know that I must be missing something simple. Gary Smith ________________________________ From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx on behalf of Gary W. Smith Sent: Sun 11/14/2004 2:53 PM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: SNAT question I'm having a problem with DNAT/SNAT. I have this on a couple firewalls at different places and it works great. I'm implementing this on a new firewall based on RHEL3 and it seems to work great for everything except local servers with external IP's. Trying to access 206.14.210.52 internally returns me 192.168.0.52. If I access it from the firewall it all works fine. If I access from another workstation or the server itself then it returns the local IP as part of the ping. Some time ago on another firewall with multiple segments someone told me to put this: -A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.52 -j SNAT --to-source 206.17.98.52 On another firewall at another location I found that they had -A POSTROUTING -s 192.168.0.52 -d 192.168.0.52 -j SNAT --to-source 206.17.98.52 Something to note that this is a custom RHEL3v3 compile with pptp-conntrack compiled in. We also recompiled iptables using the new userspace changes. The location where I got the information regarding the original DNAT/SNAT is: http://iptables-tutorial.frozentux.net/iptables-tutorial.html#DNATTARGET Here is the actual PRE/POST/OUT routing section [0:0] -A PREROUTING -d 206.14.210.51 -j DNAT --to-destination 192.168.0.51 [0:0] -A PREROUTING -d 206.14.210.52 -j DNAT --to-destination 192.168.0.52 ... [0:0] -A PREROUTING -d 206.14.210.62 -j DNAT --to-destination 192.168.0.62 [0:0] -A POSTROUTING -s 192.168.0.51 -o eth0 -j SNAT --to-source 206.14.210.51 [0:0] -A POSTROUTING -s 192.168.0.52 -o eth0 -j SNAT --to-source 206.14.210.52 #[0:0] -A POSTROUTING -s 192.168.0.52 -d 192.168.0.52 -j SNAT --to-source 206.17.98.52 ... [0:0] -A POSTROUTING -s 192.168.0.62 -o eth0 -j SNAT --to-source 206.17.98.62 [0:0] -A POSTROUTING -o eth0 -j SNAT --to-source 206.17.98.50 [0:0] -A OUTPUT -d 206.17.98.51 -j DNAT --to-destination 192.168.0.51 [0:0] -A OUTPUT -d 206.17.98.52 -j DNAT --to-destination 192.168.0.52 ... [0:0] -A OUTPUT -d 206.17.98.62 -j DNAT --to-destination 192.168.0.62
