you hit the point!! thank you so much 2014-08-01 19:48 GMT+02:00 Anton Danilov <littlesmilingcloud@xxxxxxxxx>: > Hello, Paolo. > > After adding of new nat rule, you should remove the existed conntrack > entries of 192.168.1.201 flows. Otherwise this flows will keep use the > existed entries with ...234 external address. > > 2014-08-01 12:00 GMT+04:00 Paolo Tezza <paolo.tezza@xxxxxxxxx>: >> Hi all >> >> I have a a firewall with 3 phisical nic (LAN, WAN, DMZ) >> I have 8 public IP I can use on WAN's nic (eth0) >> >> so I configured some alias on eth0: >> eth0 x.x.x.234 Mask:255.255.255.248 >> eth0:0 x.x.x.235 Mask:255.255.255.248 >> eth0:1 x.x.x.237 Mask:255.255.255.248 >> eth0:2 x.x.x.238 Mask:255.255.255.248 >> >> eth1 10.0.0.254 Bcast:10.0.0.255 Mask:255.255.255.0 >> >> eth2 192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0 >> >> >> I have added this iptables rule that work like a charm >> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.234 >> >> both my LAN (eth2) and my DMZ (eth1) surf internet with phisical IP >> >> >> Now I need that one host 192.168.1.201 will be "masqueraded" with x.x.x.238 >> so I add the rule ABOVE the first one >> iptables -t nat -A POSTROUTING -s 192.168.1.201 -o eth0 -j SNAT >> --to-source x.x.x.238 >> >> >> >> The issue is that 192.168.1.201 keep to use physical IP x.x.x.234 and >> not x.x.x.238 >> >> Some hint? >> >> thanks >> >> >> Paolo >> -- >> To unsubscribe from this list: send the line "unsubscribe netfilter" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > -- > Anton. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
