On Thursday 23 May 2002 5:24 pm, Marc SCHAEFER wrote: > On Thu, 23 May 2002, Antony Stone wrote: > > If you simply use two DNAT rules in your PREROUTING chain: > > > > iptables -A PREROUTING -t nat -d 62.2.159.14 --to 193.72.186.6 > > iptables -A PREROUTING -t nat -d 194.38.85.209 --to 193.72.186.6 > > > > Then iptables will automatically look after the reverse translation of > > the replying packets from the internal machine to the external client. > > That's good, presumably. I do the equivalent of: > > iptables -d 194.38.85.209 -t nat -A PREROUTING -i eth0 -j DNAT --to > 193.72.186.6 > iptables -d 62.2.159.14 -t nat -A PREROUTING -i eth2 -j DNAT --to > 193.72.186.6 > > ie it's the same as you but with interface specification and DNAT jump.
Er, yes - it would have been good if I'd remembered to put the -j DNAT in my rules :-) > So my problem should be somewhere else. I will debug more to see what is > happening. Try putting a tcpdump / ethereal monitor on the external interface of your firewall which its default route points to, and see if it appears to be sending out reply packets with the 'other' source address. If it is, then you know your IPtables setup is working fine (and there's nothing more you can do to it to make things work any better), and you have to start playing with the routing table as Ramin suggested.... Antony.
