Hello, Feasey, Nicholas a écrit : > I'm setting up a box that will be the only device on the Internet and > will forward requested services to other servers sitting on a DMZ. > > As a test I started with redirecting a web server. > > To test my arrangement I first merely set up a simple masquerade (just > on my internal network) in my iptables like so: > > *nat > :PREROUTING ACCEPT [0:0] > :POSTROUTING ACCEPT [0:0] > -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.40.15 > -A POSTROUTING -j MASQUERADE Be aware that using MASQUERADE on all interfaces may not do what you want. Usually, it is used only on the public internet side. > *filter > ...normal filtering lines follow. > > This POSTROUTING entry works as well: > > -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.40.15 > > I think this is because the above line is doing the same as the shortcut > MASQUERADE. Not exactly. This rule replaces the source address of any connection going out eth0 with 192.168.40.15 whereas the above MASQUERADE rule replaces the source address of any connection going out any interface with the address of the interface. By the way, it is weird that you use the address of a remote host (the server in the DMZ). > When I check the httpd access_log it shows that the connection came from > 192.168.40.15 as expected. It works. I'm puzzled. A connection cannot match both the DNAT and SNAT rules as they have the same input and output interface eth0. Even if it did (the connection goes out the interface it came in), this connection would end up having the same address as source and destination 192.168.40.15. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
