dan at usrsbin.com
Sun Aug 6 17:28:28 MDT 2006
I do have to SNAT every IP. We aren't doing Masquerading on that range
of IPs. We are doing 1:1 NAT. Masquerading will change everything to
the Firewalls IP which will completely hose the network. DNAT won't NAT
any connections if the server in 10.2.253 subnet initiates a connection.
Sean, thanks for the tip on rp_filter. That might be it. I think it's
on by default in the 2.6 kernels. I thought about it but forgot to
disable it the other day when I was helping my friend with this firewall.
I also read that you have to do something like this for each IP you want
ip address add 188.8.131.52 dev eth2 and so on. I also did that and
nothing, so maybe it's the rp_filter.
David L. Anselmi wrote:
> Dan Ferris wrote:
>> Hello list,
>> I have the following in an iptables setup:
>> Chain PREROUTING (policy ACCEPT 41 packets, 4193 bytes)
>> pkts bytes target prot opt in out source
>> 0 0 DNAT all -- * * 0.0.0.0/0
>> 184.108.40.206 to:10.2.253.21
> So it looks like packets are hitting the chain, just not matching a
> rule. What command did you use to set these up (one DNAT and
> corresponding SNAT should do)?
> You don't have to SNAT every IP. Just masquerading everything will
> work (and applies to connections initiated by the servers--DNAT should
> take care of both directions for incoming connections). In fact,
> maybe attacking one rule for one server at a time would help.
> I assume the firewall has aliases for all the 204.x addresses on its
> outside interface.
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
What do you call a guy with no legs who is waterskiing?
More information about the LUG