On Fri, 31 Jul 2009 19:49:23 +0200, Thomas Jacob wrote: > Ah yes, the ssh server is on a DNATed internal machine, sorry about. > > In that case you need to SNAT your request to the local machine as > well, and also keep the original DNAT rule: > > So: > > $IPTABLES -t nat -A PREROUTING -i eth1 -s 192.168.0.0/16 -p tcp -d > $HOST_E --dport 22 -j DNAT --to-destination $HOST_I > > + > > $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/16 -p tcp -d > $HOST_I --dport 22 -j SNAT --to-destination <Internal-Router-IP> > > > should get you there. > > Just tried that on a similar setup and it worked well for me, I can > ssh to myself via the NAT router by contacting the NAT routers public > IP ;) Thanks again, but after trying this and numerous variations I still can't make this work, and I've read plenty of other stuff that says to do what you say, but no cigar :( It's annoying and I'd like to get it working at the firewall. But for now I think I'm going to take Robby's advice and have a look at split views with Bind. This also does seem to be the recommended way to do it. Still, I must have learnt something from all this! ;) Cheers, Andrew -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
