I am sorry I am not able to get you .. Since we are using the MASQUERADE rule in POSTROUTING .. all the traffic from 192.168.*.* subnet will be Source natted to 10.12.*.* subnet right ? Why we have to again add rule in POSTROUTING chain to just say accept .. ? Regards, Ajith On Wed, Oct 19, 2011 at 12:03 AM, Erik Schorr <erik-lists@xxxxxxxx> wrote: > On 10/17/2011 8:42 PM, Ajith Adapa wrote: >> >> I have a following setup. GW eth1 (private ip) is connected to the ISP >> router. For host H1 I have set the DNS server as 10.12.3.10. >> >> H1 (eth0) --- (eth0) GW (eth1) --- >> H1 eth0 = 192.168.1.2 >> GW eth0 = 192.168.1.1 >> GW eth1 = 10.12.3.12 >> DNS = 10.12.3.10 >> >> I have added a rule in GW saying iptables -A POSTROUTING -t nat -o >> eth1 -j MASQUERADE >> >> Now when I am trying to access internet from host H1, DNS queries are >> being sent to 10.12.3.10 which are masqueraded in GW. Once replies >> come back from DNS server then GW is replying back to DNS server with >> icmp destination unreachable. > > If there's no reason to SNAT/masquerade traffic from eth0 to a host on eth1 > (10.12.3.*), you can try inserting an ACCEPT rule in the POSTROUTING table > just before the MASQUERADE rule, to prevent the traffic from 192.168.1.* to > 10.12.3.* having its source address changed in flight: > > # iptables -A POSTROUTING -t nat -o eth1 -m comment --comment "dont masq > stuff from private net to DMZ net" -s 192.168.1.0/24 -d 10.12.3.0/24 -j > ACCEPT > # iptables -A POSTROUTING -t nat -o eth1 -m comment --comment "masq > everything else" -j MASQUERADE > >> Ideal cases once the reply comes back GW has to send it to the host H1 >> right ? >> >> Sorry if I am wrong or missed any steps down here ? >> >> Regards, >> Ajith > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
