On Thu, 23 May 2002, Antony Stone wrote: > Try putting a tcpdump / ethereal monitor on the external interface of your > firewall which its default route points to, and see if it appears to be > sending out reply packets with the 'other' source address.
So, it works very fine now (some problem with the router), I can do my double-rewriting of addresses. The packets go out on the wrong interface, though, but this seems to work anyway as the ISP doesn't do any sensible filtering. If someone is interested, I would be glad to see if there is any method to route the packets correctly without loosing the external addresses in the inside, and without requiring a second IP address on the internal machine (the proposed marker solution would loose the external addresses). In my mind, it must be possible, since the connections, AFAIK, are tracked as soon as DNAT is used. It's not urgent, but it would surely interest me. The resulting scripts are in: http://www-internal.alphanet.ch/~schaefer/nf_firewall/ Thanks for help Antony and Ramin!
