On Tue, May 28, 2002 at 04:56:45PM -0400, George Georgalis wrote: > On Tue, May 28, 2002 at 09:34:58PM +0100, Antony Stone wrote: > >On Tuesday 28 May 2002 9:26 pm, George Georgalis wrote: > > > >> >> Also, I was wondering why a connect from the LAN port 50422 (to the > >> >> firewall) does nat to 192.168.0.1:22? It works from the internet.... > >> > > >> I want the LAN and Internet connections to :50422 to NAT to > >> 192.168.0.1:22 but this command from the LAN hangs... > >> ssh -p50422 [EMAIL PROTECTED] > >> and there is no connection recorded in the 192.168.0.1 log. I'm > >> at a loss. > > > >The answer is routing. > > > >Internal client goes through firewall to contact server on 192.168.0.1, but > >192.168.0.1 thinks it can reply to client without going back through the > >firewall (think about the routing table on the server). > > > >Therefore the reply doesn't get reverse NATed, and the client doesn't > >understand where the reply came from.... > > > > Yeah, maybe I can just change the route on the LAN computers to always > use the firewall... :)
No, you can't if both end points are sitting on the same subnet. Have you read this yet? http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html Ramin > > Thanks everyone, > > // George > > > -- > GEORGE GEORGALIS, System Admin/Architect cell: 347-451-8229 > Security Services, Web, Mail, mailto:[EMAIL PROTECTED] > File, Print, DB and DNS Servers. http://www.galis.org/george >
