It doesn't look like double NAT to me. Anyways, try and combine your rules with the proper IP-NIC mapping by way of the ARP proxying functionality. Look it up. That's usually a good bet when it comes to double NATTING. There's also a good paper on double NAT in the netfilter.org site. Good luck. João -----Original Message----- From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Guenter.Sprakties@xxxxxxxx Sent: domingo, 22 de Janeiro de 2006 14:58 To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: double NAT problem Hello, I've got an urgend problem with double netfilter NAT. The router has the following interfaces: eth0: 220.100.100.1/24 -> Internet eth1: 172.24.24.1/24 -> Intranet (INTNET) eth2: 192.168.100.1/24 -> DMZ Now the iptables ruleset: #NAT 1 iptables -t nat -A POSTROUTING -o eth0 -s 192.168.100.4 -d ! "$INTNET" -j SNAT --to 220.100.100.4 2 iptables -t nat -A PREROUTING -i eth0 -d 220.100.100.4 -j DNAT --to 192.168.100.4 3 ip addr add 220.100.100.4 dev eth0 4 iptables -t nat -A POSTROUTING -o eth1 -s 192.168.100.4 -d "$INTNET" -j SNAT --to 172.24.24.4 5 iptables -t nat -A PREROUTING -i eth1 -s "$INTNET" -d 172.24.24.4 -j DNAT --to 192.168.100.4 6 ip address add 172.24.24.4 dev eth1 The idea is to get the DMZ from inside by their 172.. IP and from outside by their 220... IP while te 'real IP is an 192.. net IP. So far, so good. >From inside, everything is fine. Going to outside, the outgoing packets are also ok. The problem are the ext-dmz direction: we see this packets by tcpdump with the 220... IP coming from outside, but not in iptables - neither with an 192.. nor with an 220 destination address. Is double natting not allowed? If its like this, we need another router - one for inside NAT and one for outside NAT. Amybody any idea? Greetings, Günter --------------------------------------------------------------------------- <a href="http://www.hidrografico.pt/email/disclaimer.htm";>http://www.hidrografico.pt/email/disclaimer.htm</a>
