Thanks :) I answer between lines... On 7/4/05, /dev/rob0 <rob0@xxxxxxxxx> wrote: > >>="masquerading.multi-eth" (misnamed: it does no masquerading) Ok. I tried with MASQUERADE, but by now I use SNAT. > > >>NE1=192.168.16.0/28 > >>NE2=192.168.17.0/28 > > Let's see, those are .0-.15 on the last quad. > > >>NLOCAL=192.168.0.0/20 > > And this is 0.0 through 15.255 ... IOW, wrong, excluding both $NE1 and > $NE2. Try 192.168.16.0/23. It would not hurt for you to brush up on > TCP/IP and subnetting basics. Oh. Is it wrong? I don't understand what's "IOW". Where should I try your proposed subnet? why? > > >> $IPTABLES -t nat -F PREROUTING > >> $IPTABLES -t nat -F POSTROUTING > >> $IPTABLES -t nat -F OUTPUT > >> $IPTABLES -t filter -F INPUT > >> $IPTABLES -t filter -F FORWARD > >> $IPTABLES -t filter -F OUTPUT > >> $IPTABLES -t filter -F keep_state >&/dev/null > >> $IPTABLES -t filter -X keep_state >&/dev/null > >> $IPTABLES -t nat -F keep_state >&/dev/null > >> $IPTABLES -t nat -X keep_state >&/dev/null > > Could be rewritten as: > iptables -F ; iptables -X ; iptables -t nat -F ; iptables -t nat -X Ok :) > > >> $IPTABLES -t filter -N keep_state > >> $IPTABLES -t filter -A keep_state -m state \ > >> --state RELATED,ESTABLISHED -j ACCEPT > >> $IPTABLES -t filter -A keep_state -j RETURN > >> > >> $IPTABLES -t nat -N keep_state > >> $IPTABLES -t nat -A keep_state -m state \ > >> --state RELATED,ESTABLISHED -j ACCEPT > >> $IPTABLES -t nat -A keep_state -j RETURN > > 1. IMO it's confusing to give chains the same name in different tables. I agree... but by now does that matter? > 2. The RETURN rules are pointless. That's what happens at the end of a > chain, anyway. Ok. That's what I thought > 3. --state in -t nat? Is that possible? Does it work? Does it break > anything? It seems it's possible. I get no error from those commands. Anyway, I've thought that happens double application of that rule, through filter and nat tables. I've removed everything about 'keep_state' in the nat table. Everything is still working bad. Even from the computer itself (local processes). Routing doesn't work, even without any "NAT"-related chain/rule. > > > About the 16.x and 17.x addresses... yes, there are other routers, > > which make NAT (192.168.16.2 and 192.168.17.2) to internet. > > This seems odd to me. I prefer to use external IP directly, for many > reasons. It also eliminates other potential points of failure. I agree :) but it's hard for me to configure the routers, so they give to me the public addresses. I think that double-NAT should not break anything. :) > > It's even more odd considering that you're doing DNAT on the already- > NAT'ed Linux machine. Why not do the DNAT in the external routers? > Also, those DNAT rules refer to other RFC 1918 netblocks. mmm I've never read RFC 1918. :) I'll take a look at it. Thanks! - I finish the working time in few minutes. Tomorrow morning I'll keep on with this.
