Hello, Simon a écrit :
I understand NAT to the level that i currently use it, to send certain ports from our DSL link to various different servers within our internal network.
This is "port forwarding", which is a common application of Destination NAT (DNAT).
Is it possible to do this to an outside IP address.
Yes, but...
eg. zzz.zzz.zzz.zzz sends http requests to port 80 and 443 on xxx.xxx.xxx.xxx, then have netfilter NAT those requests thru to port 80/443 on yyy.yyy.yyy.yyy, both x and y being different real world IP addresses and on different subnets? (physically seperate servers).
... one condition for this to work as expected is "symmetric" routing. I explain. Forward packets go from the client to the NAT box, then from the NAT box to the server. Return packets *must* go from the server back to the NAT box, then from the NAT box back to the client. Else they would come back directly to the client with the wrong source address, that is the server address instead of the NAT box address expected by the client. This is basically the same problem as port redirection to a server which is on the same LAN as the client.
In a controlled network, the symmetric routing condition can be met by the routing topology. But if both the client and the server are anywhere on the real internet, this condition is not true. So, to force return packets to go back to the NAT box, you must do Source NAT (SNAT) to masquerade the client address with the NAT box address. See <http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html>.
Be aware that because of SNAT the server will only see the NAT box address as the source of the redirected connections ; it will not see the real client address. In case of abuse, the only address in the server logs will be the NAT box address.
