[CentOS] A little iptables help

Wed Sep 28 17:37:01 UTC 2005
Kirk Bocek <t004 at kbocek.com>


Aleksandar Milivojevic wrote:
> You assumed right.  However, Netfilter is smart enough to change source 
> address
> on returning packet without explicit SNAT rule(s).  As long as incomming 
> and
> outgoing packets are going through same firewall 

Ah ha! I *was* right. :) If you have more than one router on the network, you need to 
make sure the internal host uses the same router doing the DNAT for it's outbound 
traffic.

On our network we have more than one router doing SNAT for the internal network which 
provides redundancy and load sharing. When I setup the inbound DNAT for SSH, I 
realized that both inbound and outbound streams from the target host had to go 
through the same router. What I didn't know is that you don't *need* the SNAT. My 
network just *happens* to be doing it.

Thanks,
Kirk