On Sat, Apr 5, 2008 at 11:12 AM, Leonardo Rodrigues Magalhães <leolistas@xxxxxxxxxxxxxx> wrote: > > graph shows clearly the problem, but doesnt gives the solution. > > the host with DNAT rule, when forwarding to a source machine on the same > subnet of the DNATted machine, should do a SNAT too. DNAT redirects the > packet, SNAT changes the source address to the host with DNAT rule address. > So, replies will go to the host with DNAT rule and everything will work. > > The big problem of this setup is that the DNATted machine will loose > capacity of logging original source address, because it was SNATted. > > On these situations, you could think on a DNS setup with views and > replying with internal address for your internal network, avoiding the use > of this setup, altough it works completly fine. > > Hi Leonardo, I understand the implications of the SNAT problem with respects to logging the incorrect source ip address. The situation I have at the moment is that I am slowly migrating everything from one server to another. However there is one particular service (IMAP in this instance) which needs to be used from inside the network and outside the network with the same domain name. I actually have the DNS setup you are talking about, however it is pointing to 192.168.1.3 (the machine doing the DNATing), when dns is requested internally. I realise I could create another domain name for this particular service, which would be quite an elegant solution, however this is only a temporary measure for the next few weeks. Because I am about to make the DNAT machine redundant. Thanks for helping me out in my problem. Cheers, -Joel -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
