Pascal, Thanks for the feedback. I am currently using the following as my general NAT that catches everything that is not my servers. It is listed last in my script and so I thought it would be the last one to be executed if none of the above rules matched. I guess there is still some traffic that is not matching the specific rules or I misunderstood how iptables handled order and jumping. Here is my script in its entirety: #! /bin/bash modprobe ip_conntrack_ftp iptables_nat iptables_mangle ip_nat_ftp echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t nat -F # Static configs # server1 iptables -t nat -A PREROUTING -d 1.1.1.2 -j DNAT --to-destination 192.168.2.10 iptables -t nat -A POSTROUTING -s 192.168.2.10 -j SNAT --to-source 1.1.1.2 # server2 iptables -t nat -A PREROUTING -d 1.1.1.3 -j DNAT --to-destination 192.168.2.11 iptables -t nat -A POSTROUTING -s 192.168.2.11 -j SNAT --to-source 1.1.1.3 # server3 iptables -t nat -A PREROUTING -d 1.1.1.4 -j DNAT --to-destination 192.168.2.12 iptables -t nat -A POSTROUTING -s 192.168.2.12 -j SNAT --to-source 1.1.1.4 # workstation1 iptables -t nat -A PREROUTING -d 1.1.1.5 -j DNAT --to-destination 192.168.2.13 iptables -t nat -A POSTROUTING -s 192.168.2.13 -j SNAT --to-source 1.1.1.5 # workstation2 iptables -t nat -A PREROUTING -d 1.1.1.6 -j DNAT --to-destination 192.168.2.21 iptables -t nat -A POSTROUTING -s 192.168.2.21 -j SNAT --to-source 1.1.1.6 #General nat iptables -t nat -A POSTROUTING -j SNAT --to-source 1.1.1.1 I will give the recipe that you mentioned a try. What exactly is the difference between --to and --to-source/--to-destination, is it just an alias? One question that I have regarding the recipe that you provided is that since I have machines with public addresses scattered through the 192.168.2.0/24 subnet would it still be matching more then it should? Or does providing it a subnet and an out interface try to prevent NATing on inbound traffic as well? Thanks, Robert LeBlanc > -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter- > bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Pascal Hambourg > Sent: Wednesday, August 02, 2006 5:37 PM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: DNAT with orignal source address > > Hello, > > Robert LeBlanc a écrit : > > I'm having problems with my e-mail server saying that every connection > > originates from the NAT box. I checked it on my other linux server and > > sure enough even though I have 1:1 DNAT and a reverse SNAT configured, > > packets destined for my server show the NAT box as the source. How do > > you configure DNAT so that it keeps the original Internet address and > > does not mangle it, only the destination address to my server on a > > private subnet? > > DNAT never mangles the source address in the PREROUTING chain. DNAT can > mangle the source address only in the OUTPUT chain to match the new > output interface. > > > iptables -t nat -A PREROUTING -d 1.1.1.4 -j DNAT --to-destination > > 192.168.2.10 > > iptables -t nat -A POSTROUTING -s 192.168.2.10 -j SNAT --to-source > > 1.1.1.4 > > > > So the gateway's public address is 1.1.1.1 and the e-mail server is > > 1.1.1.4. The e-mail logs and ssh logins all show that every connection > > is made from 1.1.1.1 even though the connections are made from the > > Internet. > > I bet that is the result of another SNAT rule, maybe the one used to > masquerade the private subnet on internet which matches more than it > should. For instance you have : > > iptables -t nat -A POSTROUTING -j SNAT --to 1.1.1.1 > > when you need : > > iptables -t nat -A POSTROUTING -o <public_interface> -s 192.168.2.0/24 \ > -j SNAT --to 1.1.1.1
