Hi, On Fri, Jan 16, 2009 at 11:19, Thom Paine <painethom at gmail.com> wrote: > Is there some step with networking that I am missing in getting this to work? Yes, the packet must return to the original source in the Internet with the y.y.y.y source IP. Your machine with IP x.x.x.x probably has a default gateway in eth0, so it will probably try to return the packets through that interface. I see three alternatives here to make this work: 1) Route any TCP packets with source IP 10.10.10.1 and source port 25 using 10.10.10.4 as the gateway. This can be done with help of the utilities in the iproute2 package, with the "ip" command (see "man ip"). This is quite complex but I'm almost sure it can be done. Read http://lartc.org/howto/. I think you can also use iptables to mark the packages with that specification and then use the "ip" command to route them through that gateway. 2) Configure the NAT of the machine with IP y.y.y.y to rewrite the packets to y.y.y.y:25 not only with new destination 10.10.10.1:25 but with source 10.10.10.4. That way the connection will return to the machine with IP y.y.y.y that will be able to NAT it back to the original y.y.y.y:25 address on the source and the original address on the internet as the destination. The problem here is that the box with IP x.x.x.x does not know from where the original connection came, it looks like all the connections are coming from 10.10.10.4. 3) Configure the machine with IP y.y.y.y to send the packets unchanged to machine with IP 10.10.10.1, that is, with y.y.y.y still as the destination address (in other words, no NAT is being done here, the machine is only using 10.10.10.1 to resolve a MAC address and forward the packet to that machine). Machine with IP x.x.x.x *must* have y.y.y.y/32 as an alias in one of the interfaces, otherwise it will reject the packet. Usually the loopback interface is the one used for that (add the y.y.y.y IP to lo:0). This way, the machine with IP x.x.x.x will return the packets through the original source in the Internet through its eth0 interface, the one with x.x.x.x IP, but as the packets have never been rewritten and the machine considers y.y.y.y an IP of its own, it is going to send the packet back with source y.y.y.y:25, which is what is needed for the original host to recognize the connection. This will make the traffic asymetric, entering your network through the y.y.y.y Internet line, but leaving through the x.x.x.x Internet line. Not 100% sure on how to implement the tricky routing without NATing on Linux, almost sure it's possible though. It will probably involve iptables to mark the connection and then using the tools in iproute2 to route them without rewriting. There is a slight issue here that from host with IP x.x.x.x you will not be able to start connections to y.y.y.y and have them routed (through the Internet) to your other host, but you will still reach it through 10.10.10.4 which is probably what you will want. > (I use gshield) Then you should probably ask in a gshield mailing list how to do it with that specific tool. All of the above assumes iptables and iproute2 only, so it might not be directly applicable on the gshield configuration you already have. On Fri, Jan 16, 2009 at 17:57, nate <centos at linuxpowered.net> wrote: > If it was my setup I wouldn't do either instead I would fire up a > VM that had the other gateway as it's default gateway, keep it > simpler. Just my opinion, but I wouldn't say that firing up a VM would make anything "simpler"... Now instead of one problem you got two... :-) Not to say that it wouldn't be possible, and if you're well versed in VM technology and already have the infrastructure it may be a good way to solve such a problem. However, if you don't, then you will have to worry about VM-specific issues, VM-specific networking (which can get quite tricky, especially in a host with more than one interface), VM-related performance issues... Not to mention that you have to administrate, maintain and update two hosts instead of one. In the case of the OP, I would urge him to evaluate if that network topology really makes sense. Does it make sense having two hosts with two different connections? In that case, does it make sense to run services like mail/web servers on these hosts? Shouldn't they be dedicated routers/firewalls instead? And do you really need to use port forwarding connections to a host that is already directly connected to the internet? HTH, Filipe