[CentOS] A little iptables help
Kirk Bocek
t004 at kbocek.com
Wed Sep 28 17:37:01 UTC 2005
Aleksandar Milivojevic wrote:
> You assumed right. However, Netfilter is smart enough to change source
> address
> on returning packet without explicit SNAT rule(s). As long as incomming
> and
> outgoing packets are going through same firewall
Ah ha! I *was* right. :) If you have more than one router on the network, you need to
make sure the internal host uses the same router doing the DNAT for it's outbound
traffic.
On our network we have more than one router doing SNAT for the internal network which
provides redundancy and load sharing. When I setup the inbound DNAT for SSH, I
realized that both inbound and outbound streams from the target host had to go
through the same router. What I didn't know is that you don't *need* the SNAT. My
network just *happens* to be doing it.
Thanks,
Kirk
More information about the CentOS
mailing list