On Fri, 2005-03-11 at 10:41, Dimitri Yioulos wrote: > Sorry for any confusion I may be causing. Here's a little more info.: > > I've aliased my Web and mail server public addresses to eth0:0 and eth0:1 > (eth0 being the external interface). I think I've read that this isn't the > optimal set-up, but it does work. That shouldn't matter, should it? > > The key here may be in omitting a NAT postrouting rule (sorry if the > terminology is incorrect). Here's what I have: > > IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 \ > -j DNAT --to-destination $DMZ_HTTP_IP > IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $SMTP_IP --dport 25 \ > -j DNAT --to-destination $DMZ_SMTP_IP > IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $SMTP_IP --dport 25 \ > -j DNAT --to-destination $DMZ_SMTP_IP > IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $SMTP_IP --dport \ > 110 -j DNAT --to-destination $DMZ_SMTP_IP > IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $SMTP_IP --dport \ > 110 -j DNAT --to-destination $DMZ_SMTP_IP > IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP > > in that order. I will change the last rule to include -s $INSIDE_NET. I > also notice that I don't have the outbound one-to-one NAT for web or mail > servers. So, if I add: > > IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -s $WEB_SRV_PRIV_IP \ > -j SNAT --to-source $WEB_SRV_PUB_IP > > and > > IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -s $MAIL_SRV_PRIV_IP \ > -j SNAT --to-source $MAIL_SRV_PUB_IP > > just after the outbound many-to-one NAT for inside net as above, will I be > good? yes. > Thanks so much for your time. no prob. -j -- "It takes two to lie. One to lie and one to listen." --The Simpsons
