Hmmm.
So to properly do this, I _must_ SNAT the connection and route them back from system C via system B?
I was afraid of that. Not sure how I would route them because System C is on a different subnet than system B.
Diagram:
+---------------+
| System A |
+-------+-------+
|
{===============}
{ Internet }
{===============}
|
+---------------+ +---A.B.C.x-----+
| Router +--------| System B +
+-------+-------+ +---------------+
|
+-------+-------+
| System C |
+---X.Y.Z.x-----+
To make matters worse, System C runs Windoze. I am trying to have A.B.C.x be my DMZ with System B as my proxy for various services.
Brian
-----Original Message-----
From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Pascal Hambourg
Sent: Friday, February 09, 2007 7:22 AM
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: Iptables proxy to a different network
Jan Engelhardt a écrit :
> On Feb 9 2007 12:27, Pascal Hambourg wrote:
>
>>>-----------
>>>*nat
>>>-A PREROUTING -p tcp --dport 80 -j DNAT --to x.y.z:80 COMMIT
>>>-----------
>>
>>If you cannot or do not wish to prevent direct routing between the
>>client and the server, you must SNAT the forwarded connections in the POSTROUTING chain.
>
> Or make it so that any packets from C pass B.
This is what I meant when I wrote "prevent direct routing between the client and the server".
> For example, by setting up
> your proxy box as a router or bridge (both approaches work) in the middle.
I may be wrong, but doing IP NAT on a bridge seems to me quite unnatural and troublesome.
