Hi Ben iptables is clever enough to know and remember where the original packet came from and will automagically do the translation necessary for the return packets.
Ray Ben wrote: > I've got a basic nat setup: > > internet > | > +====+=====+ eth0: 1.2.3.4 > | firewall | > +====+=====+ eth1: 10.0.0.1 > | > +====+=====+ eth0: 10.0.0.2 > | server | > +==========+ > > > What I would like is for packets coming from the server (10.0.0.2) to get > SNAT'd to the firewall's IP address, 1.2.3.4. It seems easy enough to do: > > iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.2 -j SNAT --to 1.2.3.4 > > But now I don't see how return packets are going to make it back to my > server, because the firewall is going to think they are destined for it. > If I add the rule: > > iptables -t nat -A PREROUTING -d 1.2.3.4 -i ! eth0 -j DNAT --to 10.0.0.2 > > Then it seems I loose the ability for the firewall to run anything > accessable to the outside world, like ssh. > >
