On Fri, Apr 12, 2002 at 03:07:44PM -0600, Oscar Valdez wrote:
> You?re absolutely right about the "/32" typo: it should be "/24". (I was
> stupidly thinking 8x3=32).
>
> As for Ramin?s suggestion to
> > 1) DNAT the NEW packets coming in from your ISP in PREROUTING.
This should take care of the services running on your server.
> > 2) SNAT the NEW packets going out from your LAN in POSTROUTING.
This should take care of the clients in your LAN trying to access the
Internet.
>
> I had already (and unsuccesfully) tried
> # iptables -t nat -I PREROUTING -d 168.243.206.8/29 -j DNAT --to 192.168.1.1
Try tcpdump or ethereal to see what's broken.
>
> My understanding was that this was a bi-directional NAT: packets going out from
> 192.168.1.1 would automagically be SNATed. Maybe it isn?t so. Is there a way to
You're right. These two rules are meant for both receiving connections and
being able to establish connections.
> make 192.168.1.1 virtually (and bidirectionally) appear to act as the entire
> 168.243.206.8/29 block?
>
> As for Ramin?s second suggestion ("Another way of doing this is to implement the
> /29 on your LAN side and bypass the NAT which gives you much more ability for
> all the protocols."), that would mean aliasing the /29 addresses on the
> 192.168.1.0 side, right?
Yes.
Ramin
>
> Oscar
