You caught another typo, it should have been .3-7. Also, the prefix changes will also help. But I'm still concerned / confused about the OUTPUT chain. We currently use the OUTPUT chain for the 1:1 nat. That seems to work fine on all other configurations where we do nat'ing. Our rule is currently "[0:0] -A POSTROUTING -s 10.20.30.8 -j DNAT --to 88.44.55.8" which works fine. But can we also consolidate this using the NETMAP like the pre/post route? If I'm straying down the wrong path can you please include a sample for what the OUTPUT should look like? So far you've helped reduce that iptables file considerably and simplified its management. Thanks... Gary -----Original Message----- From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Jason Opperisano Sent: Thursday, April 14, 2005 3:37 PM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: DNAT/SNAT question On Thu, Apr 14, 2005 at 03:16:37PM -0700, Gary W. Smith wrote: > > The other question was regarding the OUTPUT rules. When I had the > manual 1:1 mapping I found that without the OUTPUT rules that there were > problems accessing an internal server from the firewall (or the server > itself) using the external address. Is this something that is fixed > with the NETMAP setting? no--you'll still need the OUTPUT rule to DNAT packets from the firewall itself. there's another thread from today about this very thing, "Problem with DNAT from localhost to LAN via loopback" if you do intend to include .8 and are trying to break down .8 - .127, you can do it in one less prefix than you have: 88.44.55.8/29 88.44.55.16/28 88.44.55.32/27 88.44.55.64/26 (sorry for that tangent)... > #[0:0] -A OUTPUT -d 88.44.55.8/26 -j NETMAP --to 10.20.30.8/26 > #[0:0] -A OUTPUT -d 88.44.55.16/28 -j NETMAP --to 10.20.30.16/28 > #[0:0] -A OUTPUT -d 88.44.55.32/27 -j NETMAP --to 10.20.30.32/27 > #[0:0] -A OUTPUT -d 88.44.55.64/27 -j NETMAP --to 10.20.30.64/27 > #[0:0] -A OUTPUT -d 88.44.55.96/27 -j NETMAP --to 10.20.30.96/27 like i said earlier--i think you'll still want the OUTPUT DNATs for packets from the firewall itself. -j -- "Announcer: Paw McTucket Beer. If you drink it, hot women will have sex in your backyard." --Family Guy
