On 14 Jan 2002, at 17:45, Bruno Negr�o wrote: > Hy all, > I'm using a linux firewall with two ethernet interfaces + iptables > + masquerading (for windows clients) + NAT 1:1 (for application > servers). > My external interface, eth0, has 3 ip adresses (ip aliasing) > destined to make 1:1 NAT for 3 internal servers. > > When some internet machine connects to one of my internal servers, > let's say server1, it will connect to the firewall's external > aliased ip(eth0:0 - 200.111.111.111) which will be managed by the > following rule: > $IPTABLES -t nat -A PREROUTING -d 200.111.111.111 -j DNAT > --to-destination $SERVER1_INTERNAL_IP > > But, when server1 starts a connection to the outside world, it > will match the default masquerading rule to all internal machines: > $IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source > 200.111.111.110 > > What perturbs me is: when server1 answers the outside world it > will show a source ip 200.111.111.111. But when server1 starts a > connetion to the internet, it will use the ip 200.111.111.110 - > the ip of the firewall's eth0. > > Does it offer any problem? How are you dealing with this case? > Don't I need an additional rule as: > iptables -t nat -A POSTROUTING -o eth0 -j SNAT -s > $SERVER1_INTERNAL_IP -j SNAT --to-destination 200.111.111.111
> ?? > > thank you all, > ------------------------------------------------- > -- Bruno Negr�o -- Suporte > -- Plugway Acesso Internet Ltda. > -- (31)34812311 > -- [EMAIL PROTECTED] Some implementations of 1:1 NAT consider a single mapping to apply to both directions, and some -- like this one -- don't. Each solves some problems, and creates others. I'd say that this is the more flexible approach; as you've guessed, you can duplicate the other approach (and solve the same problems it does) by adding a second rule for internally-originated traffic. David Gillett _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
