Hello, Paolo. After adding of new nat rule, you should remove the existed conntrack entries of 192.168.1.201 flows. Otherwise this flows will keep use the existed entries with ...234 external address. 2014-08-01 12:00 GMT+04:00 Paolo Tezza <paolo.tezza@xxxxxxxxx>: > Hi all > > I have a a firewall with 3 phisical nic (LAN, WAN, DMZ) > I have 8 public IP I can use on WAN's nic (eth0) > > so I configured some alias on eth0: > eth0 x.x.x.234 Mask:255.255.255.248 > eth0:0 x.x.x.235 Mask:255.255.255.248 > eth0:1 x.x.x.237 Mask:255.255.255.248 > eth0:2 x.x.x.238 Mask:255.255.255.248 > > eth1 10.0.0.254 Bcast:10.0.0.255 Mask:255.255.255.0 > > eth2 192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0 > > > I have added this iptables rule that work like a charm > iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.234 > > both my LAN (eth2) and my DMZ (eth1) surf internet with phisical IP > > > Now I need that one host 192.168.1.201 will be "masqueraded" with x.x.x.238 > so I add the rule ABOVE the first one > iptables -t nat -A POSTROUTING -s 192.168.1.201 -o eth0 -j SNAT > --to-source x.x.x.238 > > > > The issue is that 192.168.1.201 keep to use physical IP x.x.x.234 and > not x.x.x.238 > > Some hint? > > thanks > > > Paolo > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Anton. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
