Why are u not natting to internal ip space? Better question, if ur using NAT why are you not using internal ip inside ur network and natting to external ip on the egress? Just trying to see why you've chosen this topology over others. On 6/23/11, Greg Scott <GregScott@xxxxxxxxxxxxxxxx> wrote: >> Why would NATing in both PREROUTING and POSTROUTING >> work **only** when I watch it with tcpdump and not work otherwise? > > I should be more clear. The problem is with internal users looking at > internally hosted web and ftp sites using the public IP Addresses. The > way you do this is, DNAT the packet in PREROUTING and then MASQUERADE > the packet in POSTROUTING. The technique is documented in a howto > someplace and I've been doing it for several years at several sites. > > At this particular site, all worked fine until I replaced the old > firewall with a new one. Now it only works properly when I watch the > conversation the tcpdump. I'm not making this up. > > - Greg Scott > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- Sent from my mobile device Payam Tarverdyan Chychi Network Security Specialist / Network Engineer -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
