>> Packet arrives at 210.153.22.y. >> Packet is DNAT-ed to 192.168.2.208. >> Gateway sends packet to 192.168.5.202. >> Router at 192.168.5.202 routes packet to 192.168.2.208. >> >> Example, http: >> >> $ipt -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT >> $ipt -A FORWARD -m state --state NEW -d 192.168.2.208 \ -p tcp >> --dport 80 -j ACCEPT >> >> $ipt -t nat -A PREROUTING -d 210.153.22.y -p tcp --dport 80 \ -j >> DNAT --to 192.168.2.208 >> >> >> Grts, >> Rob > > Now another issue is pop up: > > 210.153.22.x is Internet gateway IP, 210.153.22.y is a public ip for > publish 192.168.3.208. ofcs, from Internet traffic to 192.168.3.208, > is go through 210.153.22.y. But in the another hand all the traffic > from 192.168.3.208 to outside, it will go to 210.153.22.x, could it > be a possible go via 210.153.22.y under some protocols? How to > configure? That would depend on your rules at the gateway. Taking http as example again. A http connection is made to the server at destination port 80/tcp. This is a grep of what it looks like using netstat -ant: Proto Recv-Q Send-Q Local Address Remote Address State tcp 0 0 172.16.2.254:80 172.16.2.1:1191 ESTABLISHED tcp 0 0 172.16.2.254:80 172.16.2.1:1190 ESTABLISHED So, return packets are coming from source port 80/tcp. I think this is what you want: $ipt -t nat -A POSTROUTING -s 192.168.2.208 -p tcp --sport 80 \ -j SNAT 210.153.22.y $ipt -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT 210.153.22.x Packets from 192.168.2.208:80 are SNAT-ed to 210.153.22.y and all other packets are SNAT-ed to 210.153.22.x. Gr, Rob
