Good idea, but this is the only rule I have! So there's no other rules to get in the way. I think what I need is some sort of debug mode for iptables. - Steve Matt Richards wrote: > Hello :) > > donno if this will help much but have you tried inserting the rule > and not appending it ? -I POSTROUTING -t nat -o eth0 -j SNAT --to > > I have been a little stumped by rules jumping packets to other chains > before they hit my newly entered rule before. > > huh, > Matty. > On 2/12/07, Steve Brueckner <steve@xxxxxxxxxxxxxx> wrote: > >>>> I have an FC5 (2.6.16.13-xen kernel) box with 2 interfaces: >>>> eth0 is 192.168.1.221 (external network) >>>> eth1 is 192.168.10.1 (internal network) >>>> >>>> I've got to nat traffic through this box from host 192.168.10.2 to >>>> host 192.168.1.12. So I enabled ip forwarding and source nat on >>>> the multi-homed box: # sysctl -w net.ipv4.ip_forward=1 # iptables >>>> -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.1.221 >>>> >>>> That didn't work; the packets were indeed forwarded but their >>>> source address was unchanged (still 192.168.10.2): >>>> # tcpdump -n -i eth0 >>>> 18:14:12.425317 IP 192.168.10.2 > 192.168.1.12: ICMP echo request, >>>> id 2617, seq 9, length 64 >>>> >>>> I also tried plain old Masquerading: >>>> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE This also >>>> does not change the packets' source address, but it does forward >>>> them from eth1 to eth0 again. >>>> >>>> This similar command has a different but still incorrect effect: >>>> # iptables -t nat -A POSTROUTING -j MASQUERADE It changes the >>>> source address of the packets on eth1 but of course does not >>>> forward them to eth0. >>>> >>>> Nothing seems to work. Packets are either forwarded but without >>>> new source IPs or they get new source IPs but aren't forwarded. >>>> My filter table is wide open (no rules). >>>> >>>> The same kernel can do SNAT just fine using Debian. I'm starting >>>> to think FC5 is missing something. However, I seem to have the >>>> following modules, which appear sufficient to me: >>>> # lsmod | grep ip >>>> ipt_MASQUERADE 3776 0 >>>> iptable_filter 3104 1 >>>> iptable_nat 8836 1 >>>> ip_nat 18092 2 ipt_MASQUERADE,iptable_nat >>>> ip_conntrack 55800 4 >>>> xt_state,ipt_MASQUERADE,iptable_nat,ip_nat nfnetlink 6520 2 >>>> ip_nat,ip_conntrack ip_tables 13636 2 >>>> iptable_filter,iptable_nat >>>> x_tables 13188 6 >>>> xt_state,ipt_MASQUERADE,xt_tcpudp,xt_physdev,iptable_nat,ip_tables >>>> ipv6 269056 14 >>>> >>>> Any ideas on how to proceed with troubleshooting this? >>>> >>>> Thanks, >>>> >>>> Steve Brueckner, ATC-NY
