Then, is forwarding alllowed? cat 1 > /proc/sys/net/ipv4/ip_forward And there is a correct route to 10.2.253.21? If both answer to yes, what do you see when you tcpdump on your internal interface on host 10.2.253.21 and try to connect to 204.184.20.221 from the Internet? And what do you see when you tcpdump on your external interface for 204.184.20.221, is traffic reaching your firewall? -Sietse ________________________________ From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx on behalf of Dan Ferris Sent: Tue 08-Aug-06 14:14 To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: 1:1 NAT Help Yes, because I cleared all the rules and set everything to accept before testing. Dan Sietse van Zanen wrote: > Are you sure, you also allow the connection in the FORWARD chain of the filter table? > > iptables -i eth2 -d 10.2.253.21 -j ACCEPT > > -Sietse > > ________________________________ > > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx on behalf of Dan Ferris > Sent: Mon 07-Aug-06 20:56 > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: 1:1 NAT Help > > > > Dear List, > > I have search Google, and the list archives back to 2003 and have found > little information about this particular problem. > > First I present to you two very simplified rules. > > iptables -A PREROUTING -i eth2 -d 204.184.20.221 -j DNAT --to 10.2.253.21 > > and > > iptables -A POSTROUTING -o eth2 -s 10.2.253.21 -j SNAT --to 204.184.20.221 > > Having never really delt with 1:1 NAT before, I thought this would "just > work". However, it does not work. The SNAT rule works fine. The DNAT > rule does not work at all. I don't even see packets hitting it. > > A few other pieces of information: > > 1. Proxy arp does not seem to be a problem. When I SSH to the external > IP, I can see the ethernet frames coming into the ethernet interface. > > 2. I have tried doing: ip addr add 204.184.20.221 dev eth2 and it still > won't work. > > We have an old POS box running Debian with Shorewall and kernel 2.4 that > works perfectly with the 1:1 NAT rules. However, the friend I am > helping does not want to use Shorewall, as she wishes to learn iptables > the old fashioned way. The only difference between the old Debian > firewall and the new one is the the new one is running CentOS and the > 2.6 kernel. > The old firewall that works has proxy arp turned off and rp_filter > turned on. The new firewall has proxy arp turned off and rp_filter > turned on. > > I'm really lost and I used to think I was decent at iptables. So if > anybody can help it would be appreciated. > > Thank you! > > Dan > > > > > > -- What do you call a guy with no legs who is waterskiing? Skip.
