Am Wednesday, den 9 May hub Bas Verhoeven folgendes in die Tasten: > Jan Engelhardt wrote: > > > >>Assuming that the outbound server is the default gateway for the web > >>server and > >>receives the return traffic, of course. > >> > > > >You'd be kinda screwed if that was not the case. Because the 'nat' table > >is only consulted for NEW connections afaics, the reply packets do _not_ > >get SNATed, since the _first_ packet was the TCP SYN, which makes the > >connection ESTABLISHED when input processing is done. > The webserver has its own gateway, and that's not the outer box. You > seem to be describing the exact problem i'm seeing in tcpdump; new > connections get snat'ed, 'forwarded' connections do not. > Is there really no solution for this? The solution is to use OUTBOUND SERVER as default gateway or do the DNATing on the gateway. Or stop DNATing and use "normal" rules to only allow traffic to WEBSERVER 80/tcp and reject the remaining traffic. Ciao Max -- Follow the white penguin.
