This is what did it...adding those lines worked, with some modification: I added -i eth1 and -o eth1, to the prerouting and postrouting lines, respectively, and then was able to leave off the -p and --dport parameters, since I'm pretty much trusting my internal network, implicitly.
Of course, now every internal connection looks, to the server, like it's coming from the firewall (telnet to the box, and it says the connection is coming from the firewall's IP), but at least I don't have to make sure I'm always updating my client machines. <G> Thanks again, Bret...the help is much appreciated. On 19 Jan 2002, Bret Hughes wrote: > AH HA! I think this is the solution from the NAT howto. I thought there > was a redirect thing going to happen. It turns out, according to this > that the solution is to SNAT these packets to the NAT box as well as the > DNAT. I don't have time to think it through right now and write a rule, > but this should get you close. > > It is the last section the applies to your situation I belive. > > > 10. Destination NAT Onto the Same Network > > If you are doing port forwarding back onto the same network, you need to > make sure that both future packets and reply packets pass through the > NAT box (so they can be altered). The NAT code will now (since > 2.4.0-test6), block the outgoing ICMP redirect which is produced when > the NAT'ed packet heads out the same interface it came in on, but the > receiving server will still try to reply directly to the client (which > won't recognize the reply). > > The classic case is that internal staff try to access your `public' web > server, which is actually DNAT'ed from the public address (1.2.3.4) to > an internal machine (192.168.1.1), like so: > > # iptables -t nat -A PREROUTING -d 1.2.3.4 \ > -p tcp --dport 80 -j DNAT --to 192.168.1.1 > > One way is to run an internal DNS server which knows the real (internal) > IP address of your public web site, and forward all other requests to an > external DNS server. This means that the logging on your web server will > show the internal IP addresses correctly. > > The other way is to have the NAT box also map the source IP address to > its own for these connections, fooling the server into replying through > it. In this example, we would do the following (assuming the internal IP > address of the NAT box is 192.168.1.250): > > # iptables -t nat -A POSTROUTING -d 192.168.1.1 -s 192.168.1.0/24 \ > -p tcp --dport 80 -j SNAT --to 192.168.1.250 > > Because the PREROUTING rule gets run first, the packets will already be > destined for the internal web server: we can tell which ones are > internally sourced by the source IP addresses. > > > > > > _______________________________________________ > Redhat-list mailing list > [EMAIL PROTECTED] > https://listman.redhat.com/mailman/listinfo/redhat-list > _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
