On Thu, 23 May 2002, Antony Stone wrote: > If you simply use two DNAT rules in your PREROUTING chain: > > iptables -A PREROUTING -t nat -d 62.2.159.14 --to 193.72.186.6 > iptables -A PREROUTING -t nat -d 194.38.85.209 --to 193.72.186.6 > > Then iptables will automatically look after the reverse translation of the > replying packets from the internal machine to the external client.
That's good, presumably. I do the equivalent of: iptables -d 194.38.85.209 -t nat -A PREROUTING -i eth0 -j DNAT --to 193.72.186.6 iptables -d 62.2.159.14 -t nat -A PREROUTING -i eth2 -j DNAT --to 193.72.186.6 ie it's the same as you but with interface specification and DNAT jump. (plus ARP alias, plus enabling forwarding, plus 1 > ipv4/ip_forward, see nf_nat's configure_nat function) So my problem should be somewhere else. I will debug more to see what is happening. > However, I think you'll need to do something very clever with the routing > tables (probably possible, but beyond my capabilities) in order to make sure > that the reply goes back out through the same interface as it came in on > (although I must admit I can't think of a specific reason why this should be > absolutely necessary) - on a machine with a standard routing table, the reply It would be necessary if both ISP would implement correct filtering rules: ie do not accept any packet from inside which is not from an inside address. Fortunately (or unfortunately), it appears the two ISPs haven't implemented any filtering, and thus this won't be necessary. I would like however to know how to do it in case the ISPs start to do the things the right way one day :) I have looked in the manual and what I need is probably `ip rule' and a `ip route' entry on another table, with a --from address specification. Unfortunately, my attempts to do it have failed, and I lack the background to understand what is this all about.
