On Mon, Nov 23, 2009 at 4:31 PM, Peter Peltonen <peter.peltonen at gmail.com> wrote: > Hi, > > On Mon, Nov 23, 2009 at 4:15 PM, Giovanni Tirloni <tirloni at gmail.com> wrote: >> On Mon, Nov 23, 2009 at 12:10 PM, Peter Peltonen >> <peter.peltonen at gmail.com> wrote: >>> Hi, >>> >>> I am unable to get my LAN masqueraded using SNAT with CentOS 5.3 and iptables. >>> >>> I have the following setup: >>> >>> eth0: connects to internet with static public IP 1.2.3.1 (obscured >>> here for privacy) >>> eth1: connects to DMZ with static public IP 1.2.3.2 (obscured here for privacy) >>> eth2: connects to LAN with static private IP 192.168.0.1 >>> >>> Traffic to hosts in the DMZ/Internet through eth0/1 work fine. >>> >>> I tried masqueradig the LAN with following: >>> >>> ptables -A FORWARD -i eth2 -j ACCEPT >>> iptables -A FORWARD -o eth2 -j ACCEPT >>> iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -o eth0 -j SNAT >>> --to-source 1.2.3.1 >>> >>> After this I can ssh to a server in the Internet from the LAN using >>> the server's IP address but not its name. The w command on the server >>> tells me that my address has not been masqueraded (its 192.168.0.2, >>> the LAN client's private IP). >> >> If you can ssh to a server on the Internet then your connectivity is >> working. You might want to check if DNS is allowed and working from >> the LAN hosts to the Internet. >> >> The fact that 'w' shows your internal IP address is because you're >> connecting from the LAN to the gateway, which doesn't trigger the SNAT >> because it's not forwarding any packets... only accepting your >> connection. > > Hmm,I am SSHing not to the gateway but to a server in the Internet, so > shouldn't it masquerade the address and w show the gateway's IP and > not the client's -- isn't this the whole point of the SNAT? > > No other service than SSH seems to work. If I do "telnet mydnsip 53" > there is no response, it just hangs. I also have correct DNS in > /etc/resolv.conf. Nobody has any other ideas what I might be doing wrong here? Best, Peter