On Feb 28 2007 20:49, Andrew Kraslavsky wrote: > The DNAT rule is wokring as I expect it to -- it exposes the private Web > server at 192.168.0.99 to the public network as if its address was > 10.0.0.1. Meaning, folks surfing to http://10.0.0.1 are actually being > serviced by the Web server at 192.168.0.0.99. > > My focus here is really on how to differentiate traffic that gets > DNATted from 10.0.0.1 to 192.168.0.99 from traffic that was actually > directly addressed to 192.168.0.99. You cannot really. (There is stuff like CLUSTERIP and OpenVZ, and all that, but I guess that goes beyond the scope of ease.) > In both cases, by the time the packet arrives in the filter table FORWARD > chain, the destination is simply 192.168.0.99, there is no trace of the > original pre-DNAT IP address, if any....at least, that is where I got stuck > anyway. 10.0.0.1# iptables [-t mangle] -A FORWARD -d 192.168.0.99 -m conntrack --ctorigdst 10.0.0.1 [-j MARK ...] would be one rule to match such. However, I don't see how that would help 0.99 identify a packet as being DNATed by a box before it. > I hope that explains it a bit more clearly. Coming along, but still fuzzy. > The approach I am playing with at the moment is to add a rule in the > mangle table PREROUTING chain that marks any packets that show up from > eth0 that are not addressed to 10.0.0.1. Then, in the filter table > FORWARD chain, I added rules to test for that mark and log and drop any > packets that match. The only thing that get forwarded are the packets DNATed to 0.99:80. So your DROP rule would never match anything. Or so. Jan --
