On 04/18/08 04:27, Javier Prieto Martínez wrote:
1) I have to SNAT the response. I've tried that rule: iptables -t nat -A POSTROUTING -p tcp --sport 80 -s 192.168.2.2 -d 192.168.1.0/24 -j SNAT --to-source 192.168.2.1
As Jan Engelhardt has pointed out so well, you are very likely dealing with (what I call) a "TCP Triangle". If there is not something else in the mix doing source NATing, you will need to do something else to avoid the "TCP Triangle". There are many different options available, one of which is the SNATing like you are referring to (though I would be careful on selecting the packets to SNAT). Another would be to have your clients connect to IPs on LAN 1 that are bound to the router that is DNATing traffic to LAN 2 and then unDNATing the replies. You could also have duplicate IPs bound on server 1 and server 2 and use some clustering techniques to alter which MAC address / server the packet(s) go to, thus allowing both servers to answer with the proper IP.
2) I have to use ebtables, as I'm using a bridge.
I would suggest that you use EBTables seeing as how you are bridging. I think things will be easier to maintain and you will be using a simpler operation.
Grant. . . . -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
