> Look at this again, it's clearly wrong. "SNAT --to 192.168.1.1"? Now > your webserver sees all connections (say from my ip 209.98.98.98) as being > from 192.168.1.1.
When I stated "This works for me." I really meant it. These rules are on several production firewalls. Obviously they are not the only rules ;) Perhaps there should have been a question as to why this would work for me. I do agree that the rule mentioned will not work alone. I "assumed" that since hanasaki stated that he had outside access taken care of he already had the corresponding "PREROUTING" rules in place. I apologize for that error. I can now see how my statement could be misunderstood. While the dns solution would typically be better in a "standard" environment I chose to use iptable rules for several reasons. I have several firewalls that I administer which protect multiple networks. If the firewall can handle the load why would I want the headaches of managing multiple internal dns servers or hosts files when a simple rule takes care of the needed internal "redirection"? With that being said.... I am always looking for better ways to administer and secure environments. > Even if you fix that by changing it to... (WARNING THIS EXAMPLE IS BROKE) > iptables -t nat -A POSTROUTING -p tcp -m multiport -d <External IP> -s \ > 192.168.1.0/24 --dports 21,80,443 -j DNAT --to 192.168.1.10 Moot point since I did not communicate all facts needed for intelligent discussion. > There are still the CPU and bandwith issues also responces will be routed > directly bypassing the Firewalls state tables. If you use the SNAT you > are likely to run out of usable ports as each outgoing connection will use > a diffrent source port. I typically use a modified MonMotha script and setup static source NATs for all servers. I would be interested in learning more about the possibility of running out of usable ports. Do you remember where you saw this situation documented? I haven't seen any cpu, memory, harddisk(if installed), or bandwidth issues on my firewalls specifically. How do you run load tests on your firewalls? I have made my syslog server sooooo busy that I had to add a second nic to connect to it with ssh. Thanks for your time Mike. I always enjoy reading your responses. tsean Listserver:# /etc/init.d/lurkd start Reloading modules Processing config directory: /etc/lurkd Processing config file: /etc/lurkd/lurking.conf lurkd: started
