Jose Celestino wrote: > Moreover, I have a similar question, but in the case where we "put" the > internal machine in our external network by doing: > > $iptables -A FORWARD -i eth2 -p tcp -d OUTSIDE-ALIAS-FOR >INTERNAL-MACHINE -j ACCEPT > $iptables -t nat -A PREROUTING -i eth2 -d OUTSIDE-ALIAS-FOR >INTERNAL-MACHINE -j DNAT --to INTERNAL-MACHINE > $iptables -t nat -A POSTROUTING -s INTERNAL-MACHINE -d ! >INTERNAL-NETWORK -j SNAT --to OUTSIDE-ALIAS-FOR >INTERNAL-MACHINE
Those rules won't do what you intend. The prerouting rules run first, so by the time the packets hit the FORWARD chain, their destination is INTERNAL-MACHINE, *not* OUTSIDE-ALIAS-FOR-INTERNAL-MACHINE. hth Adam
