Thank you for your response and explanation of the difference between MASQUERADE and SNAT. I really do not want to use MASQUERADE for exactly the reason that you state. My explanation is confusing because I was using the same ethernet port just for testing. In the real world I'm trying to achieve a box that acts as a firewall and depending on the service requested routes to an internal machine lying on a DMZ. So, I'd be using multiple ethernet ports as you would expect. To be clear (I hope) users would enter http://somesite.somewhere.com and it would resolve to an IP address on the firewall box. They hit the outside interface (port 80 or 443) and it would forward this to a machine on the DMZ. That's all I'm trying to achieve here. Is this just achieved via a series of FORWARD commands like any other? On 2011-02-19, at 6:10 PM, Pascal Hambourg wrote: > Hello, > > Feasey, Nicholas a écrit : >> I'm setting up a box that will be the only device on the Internet and >> will forward requested services to other servers sitting on a DMZ. >> >> As a test I started with redirecting a web server. >> >> To test my arrangement I first merely set up a simple masquerade (just >> on my internal network) in my iptables like so: >> >> *nat >> :PREROUTING ACCEPT [0:0] >> :POSTROUTING ACCEPT [0:0] >> -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.40.15 >> -A POSTROUTING -j MASQUERADE > > Be aware that using MASQUERADE on all interfaces may not do what you > want. Usually, it is used only on the public internet side. > >> *filter >> ...normal filtering lines follow. >> >> This POSTROUTING entry works as well: >> >> -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.40.15 >> >> I think this is because the above line is doing the same as the shortcut >> MASQUERADE. > > Not exactly. This rule replaces the source address of any connection > going out eth0 with 192.168.40.15 whereas the above MASQUERADE rule > replaces the source address of any connection going out any interface > with the address of the interface. > > By the way, it is weird that you use the address of a remote host (the > server in the DMZ). > >> When I check the httpd access_log it shows that the connection came from >> 192.168.40.15 as expected. It works. > > I'm puzzled. A connection cannot match both the DNAT and SNAT rules as > they have the same input and output interface eth0. Even if it did (the > connection goes out the interface it came in), this connection would end > up having the same address as source and destination 192.168.40.15. > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > >
Attachment:
smime.p7s
Description: S/MIME cryptographic signature