how can i do this? about my problem how can i tell firewall if the source is 10.0.0.1 and sending it to 10.0.0/24 he well send it to eth1 interface? there's no such thing as -j eth1 right? On 5/20/05, Mark Quitoriano <markquitoriano at gmail.com> wrote: > hi guys i got another problem... > > as i said the last post i used john's syntax for my iptables and it > worked fine outside the internet but my local user can't access it on > there browser. > > On 5/20/05, Mark Quitoriano <markquitoriano at gmail.com> wrote: > > @ john et al > > > > ei tnx guys i tried john's syntax and it work :) > > > > @peter > > anyway the second one(where the snat is) why i put it in the script > > because i thought i need to send back the packets to the firewall so > > the firewall will send it back to the sender. But when i tired john's > > syntax it sends back without the snat syntax. why is that? > > > > > > On 5/19/05, Peter Farrow <peter at farrows.org> wrote: > > > If you are doing it like this as you have indicated, > > > > > > iptables -t nat -A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -j DNAT > > > --to-destination 10.0.0.1 > > > > > > iptables -t nat -A POSTROUTING -d 10.0.0.1 -j SNAT --to xxx.xxx.xxx.xxx > > > > > > > > > Then thats why your mail server logs the ip address of the firewall.... > > > because of the POSTROUTING line above and the fact that you DNAT'ed to > > > an ipaddress that you then SNAT'ed out onto the LAN. > > > > > > Its no problem and expected that your mail server has a different IP to > > > your firewall, in this case you will need to make sure that > > > the. packets you've destination NAT'ed are allowed through the forward > > > chain as Johnny Hughes has indicated below. > > > > > > P. > > > > > > > > > Johnny Hughes wrote: > > > > > > >On Thu, 2005-05-19 at 21:44 +0800, Mark Quitoriano wrote: > > > > > > > > > > > >>here's how i did mine > > > >> > > > >> > > > > > > > > > > > > > > > >>iptables -t nat -A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -j DNAT > > > >>--to-destination 10.0.0.1 > > > >> > > > >>iptables -t nat -A POSTROUTING -d 10.0.0.1 -j SNAT --to xxx.xxx.xxx.xxx > > > >> > > > >>because the firewall has different ip than my mail server > > > >> > > > >> > > > >> > > > >You are forwarding it twice > > > > > > > >Is 10.0.0.1 the internal interface of the firewall (that contains -d > > > >xxx.xxx.xxx.xxx) or is it a seperate machine > > > > > > > >If it is on the same machine, try this (assuming you have a FORWARD rule > > > >too): > > > > > > > >iptables -A FORWARD -i $EXTIF -p tcp --dport 25 -m state \ > > > > --state NEW,ESTABLISHED,RELATED -j ACCEPT > > > > > > > >iptables -A PREROUTING -t nat -p tcp -d $EXTIP --dport 25 \ > > > > -j DNAT --to xxx.xxx.xxx.xxx > > > > > > > >($EXTIF is the external insterface {eth0, eth1, etc.}, $EXTIP is the > > > >external IP address) > > > > > > > > > > > > > > > >>On 5/19/05, Peter Farrow <peter at farrows.org> wrote: > > > >> > > > >> > > > >>>If you're doing true port forwarding, the internal server should see the > > > >>>ip address of the external machine in its logs. > > > >>> > > > >>>This is how my machines log that do this, I use this type of entry in > > > >>>iptables: > > > >>> > > > >>>iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j DNAT --to > > > >>>10.198.0.17 > > > >>> > > > >>>P. > > > >>> > > > >>> > > > >>>Johnny Hughes wrote: > > > >>> > > > >>> > > > >>> > > > >>>>On Thu, 2005-05-19 at 21:08 +0800, Mark Quitoriano wrote: > > > >>>> > > > >>>> > > > >>>> > > > >>>> > > > >>>>>i'm having a problem viewing logs on forwarded ports from the firewall > > > >>>>>to another server, i forwarded mail(port 25) from the firewall to an > > > >>>>>internal server. The problem is when i try to view the logs it just > > > >>>>>shows the firewall ip as the sender and not the original sender. > > > >>>>> > > > >>>>> > > > >>>>> > > > >>>>> > > > >>>>> > > > >>>>> > > > >>>>In reality, the firewall may be making the connection to the internal > > > >>>>server... and not the external machine. Especially if the internal > > > >>>>server is on a 192.168.x.x or 10.x.x.x network and you are connecting > > > >>>>via NAT. If that is the case, the external machine is connecting to the > > > >>>>firewall and the firewall is connecting to the internal server. > > > >>>> > > > >>>> > > > >>>>------------------------------------------------------------------------ > > > >>>> > > > >>>>_______________________________________________ > > > >>>>CentOS mailing list > > > >>>>CentOS at centos.org > > > >>>>http://lists.centos.org/mailman/listinfo/centos > > > >>>> > > > >>>> > > > >>>> > > > >>>> > > > >>>_______________________________________________ > > > >>>CentOS mailing list > > > >>>CentOS at centos.org > > > >>>http://lists.centos.org/mailman/listinfo/centos > > > >>> > > > >>> > > > >>> > > > >> > > > >> > > > >>------------------------------------------------------------------------ > > > >> > > > >>_______________________________________________ > > > >>CentOS mailing list > > > >>CentOS at centos.org > > > >>http://lists.centos.org/mailman/listinfo/centos > > > >> > > > >> > > > _______________________________________________ > > > CentOS mailing list > > > CentOS at centos.org > > > http://lists.centos.org/mailman/listinfo/centos > > > > > > > > > -- > > Regards, > > Mark Quitoriano, CCNA > > http://www.atamanetworks.com > > > > > -- > Regards, > Mark Quitoriano, CCNA > http://www.atamanetworks.com > -- Regards, Mark Quitoriano, CCNA http://www.atamanetworks.com