On Thursday 23 May 2002 3:53 pm, Marc SCHAEFER wrote: > the machine on the internal_net only has one IP address (in this case > 193.72.186.6, could be e.g. 192.168.x.x), but must be reachable from the > outside as: 62.2.159.14 and 194.38.85.209. > > The firewall has addresses 62.2.159.15, 194.38.85.206 and 193.72.186.15 > (again, this one could have been 192.168.x.x). > > The machine on the internal_net cannot do any special tricks. She must > receive all packets to 193.72.186.6 (the from can be an external address). > Now, the firewall must remember what was the incoming address (62.2.159.14 > or 194.38.85.209) and re-NAT it accordingly when it goes out, and send it > on the correct outgoing interface.
This sounds to be simple for iptables, but impossible for a standard routing table on the firewall... If you simply use two DNAT rules in your PREROUTING chain: iptables -A PREROUTING -t nat -d 62.2.159.14 --to 193.72.186.6 iptables -A PREROUTING -t nat -d 194.38.85.209 --to 193.72.186.6 Then iptables will automatically look after the reverse translation of the replying packets from the internal machine to the external client. However, I think you'll need to do something very clever with the routing tables (probably possible, but beyond my capabilities) in order to make sure that the reply goes back out through the same interface as it came in on (although I must admit I can't think of a specific reason why this should be absolutely necessary) - on a machine with a standard routing table, the reply will simply go back via the 'default gateway' which of course is only on one of your Internet links.... Maybe someone with more experiance of iproute2 than me can jump in here ? Antony.
