On May 9 2007 00:33, Pascal Hambourg wrote: > Jan Engelhardt a écrit : >> On May 8 2007 23:16, Bas Verhoeven wrote: >> >> > OUTBOUND SERVER: >> > >> > iptables -t nat -A PREROUTING -p tcp --dport 80 -d <ext_web_ip> -j DNAT >> > --to-destination <webserver_ip>:80 >> > >> > Note: We didn't touch this as it seems to works fine. >> > >> > WEBSERVER: >> >> You do not need any rules here. The outbound server will do the >> translation >> in both directions. > > Assuming that the outbound server is the default gateway for the web server and > receives the return traffic, of course. You'd be kinda screwed if that was not the case. Because the 'nat' table is only consulted for NEW connections afaics, the reply packets do _not_ get SNATed, since the _first_ packet was the TCP SYN, which makes the connection ESTABLISHED when input processing is done. Jan --
