On Friday 19 April 2002 3:10 am, Donald Thompson wrote: > I have a linux 2.4.18 firewall using iptables 1.2.5. It only has a single > ethernet card, but I use IP alias so that it can talk to an internal > (non-routeable) network. > > iptables -t nat -A PREROUTING -d 4.3.2.2 -j DNAT --to-destination > 192.168.0.2 > > That part works great, sort of. However, the machine 192.168.0.2 thinks > any DNAT traffic is coming from 192.168.0.1, rather than the appropriate > IP address out on the internet.
Have you got any SNAT or MASQUERADING rules as well as the DNAT one you told us above ? I think you must have, otherwise your internal machines couldn't connect out to the Internet, and I suspect you've made it too general (quite easy when you only have a single ethernet card in your Firewall - odd choice of how to do it...) so that the Firewall is SNATting packets both ways. Try changing your SNAT or MASQUERADE rule to match only packets with (original) source address 192.168.0.x and see if that sorts it out. If not, post your full ruleset for us to look at. By the way, why *are* you using only a single ethernet card ? Antony.
