The rule that Pascal specified worked great! Thanks for the help. If anyone can chime in, I'd still like to know the answers to the questions I posed below so that I can understand the process better. Thanks, Robert LeBlanc > -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter- > bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Robert LeBlanc > Sent: Thursday, August 03, 2006 8:34 AM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: RE: DNAT with orignal source address > > Pascal, > Thanks for the feedback. I am currently using the following as my > general NAT that catches everything that is not my servers. It is listed > last in my script and so I thought it would be the last one to be executed > if none of the above rules matched. I guess there is still some traffic > that is not matching the specific rules or I misunderstood how iptables > handled order and jumping. Here is my script in its entirety: > > #! /bin/bash > > modprobe ip_conntrack_ftp iptables_nat iptables_mangle ip_nat_ftp > echo "1" > /proc/sys/net/ipv4/ip_forward > > iptables -t nat -F > > > # Static configs > # server1 > iptables -t nat -A PREROUTING -d 1.1.1.2 -j DNAT --to-destination > 192.168.2.10 > iptables -t nat -A POSTROUTING -s 192.168.2.10 -j SNAT --to-source 1.1.1.2 > > # server2 > iptables -t nat -A PREROUTING -d 1.1.1.3 -j DNAT --to-destination > 192.168.2.11 > iptables -t nat -A POSTROUTING -s 192.168.2.11 -j SNAT --to-source 1.1.1.3 > > # server3 > iptables -t nat -A PREROUTING -d 1.1.1.4 -j DNAT --to-destination > 192.168.2.12 > iptables -t nat -A POSTROUTING -s 192.168.2.12 -j SNAT --to-source 1.1.1.4 > > # workstation1 > iptables -t nat -A PREROUTING -d 1.1.1.5 -j DNAT --to-destination > 192.168.2.13 > iptables -t nat -A POSTROUTING -s 192.168.2.13 -j SNAT --to-source 1.1.1.5 > > # workstation2 > iptables -t nat -A PREROUTING -d 1.1.1.6 -j DNAT --to-destination > 192.168.2.21 > iptables -t nat -A POSTROUTING -s 192.168.2.21 -j SNAT --to-source 1.1.1.6 > > #General nat > > iptables -t nat -A POSTROUTING -j SNAT --to-source 1.1.1.1 > > I will give the recipe that you mentioned a try. What exactly is the > difference between --to and --to-source/--to-destination, is it just an > alias? One question that I have regarding the recipe that you provided is > that since I have machines with public addresses scattered through the > 192.168.2.0/24 subnet would it still be matching more then it should? Or > does providing it a subnet and an out interface try to prevent NATing on > inbound traffic as well? > > Thanks, > Robert LeBlanc > > > -----Original Message----- > > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter- > > bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Pascal Hambourg > > Sent: Wednesday, August 02, 2006 5:37 PM > > To: netfilter@xxxxxxxxxxxxxxxxxxx > > Subject: Re: DNAT with orignal source address > > > > Hello, > > > > Robert LeBlanc a écrit : > > > I'm having problems with my e-mail server saying that every connection > > > originates from the NAT box. I checked it on my other linux server and > > > sure enough even though I have 1:1 DNAT and a reverse SNAT configured, > > > packets destined for my server show the NAT box as the source. How do > > > you configure DNAT so that it keeps the original Internet address and > > > does not mangle it, only the destination address to my server on a > > > private subnet? > > > > DNAT never mangles the source address in the PREROUTING chain. DNAT can > > mangle the source address only in the OUTPUT chain to match the new > > output interface. > > > > > iptables -t nat -A PREROUTING -d 1.1.1.4 -j DNAT --to-destination > > > 192.168.2.10 > > > iptables -t nat -A POSTROUTING -s 192.168.2.10 -j SNAT --to-source > > > 1.1.1.4 > > > > > > So the gateway's public address is 1.1.1.1 and the e-mail server is > > > 1.1.1.4. The e-mail logs and ssh logins all show that every connection > > > is made from 1.1.1.1 even though the connections are made from the > > > Internet. > > > > I bet that is the result of another SNAT rule, maybe the one used to > > masquerade the private subnet on internet which matches more than it > > should. For instance you have : > > > > iptables -t nat -A POSTROUTING -j SNAT --to 1.1.1.1 > > > > when you need : > > > > iptables -t nat -A POSTROUTING -o <public_interface> -s 192.168.2.0/24 \ > > -j SNAT --to 1.1.1.1 >
