Jan Engelhardt escreveu:
On Saturday 2008-04-05 01:35, Joel Pearson wrote:
I can get iptables forwarding to work fine if the source address is
from the internet, well a different interface anyway. Using a DNAT
works fine in these circumstances. But a DNAT doesn't work to forward
within the same subnet/interface it seems.
Can someone point me in the right direction?
http://jengelh.hopto.org/images/dnat-mistake.png
graph shows clearly the problem, but doesnt gives the solution.
the host with DNAT rule, when forwarding to a source machine on the
same subnet of the DNATted machine, should do a SNAT too. DNAT redirects
the packet, SNAT changes the source address to the host with DNAT rule
address. So, replies will go to the host with DNAT rule and everything
will work.
The big problem of this setup is that the DNATted machine will loose
capacity of logging original source address, because it was SNATted.
On these situations, you could think on a DNS setup with views and
replying with internal address for your internal network, avoiding the
use of this setup, altough it works completly fine.
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@xxxxxxxxxxxxxx
My SPAMTRAP, do not email it
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
