Outgoing NAT problem.

/dev/rob0 rob0 at gmx.co.uk
Tue Jul 5 17:00:47 CEST 2005


On Tuesday 05 July 2005 09:50, Carlos Cruells wrote:
> iptables -t nat -A POSTROUTING -s 10.10.12.30 -o eth1 -j SNAT --to
> 62.93.44.116

If a packet has a source IP of 10.10.12.30 and is routed out the eth1 
interface, rewrite the source IP to 62.93.44.116.

> When i do a simple ping test from LAN --> Internet, it fails, but if

Don't do it from anywhere on the LAN. Only do it from 10.10.12.30. It 
won't work from any other IP. Perhaps you wanted to use a different 
source specification, like "-s 10.10.12.0/24" or "-s 10.0.0.0/8"?

> i repeat the same test from firewall, it does ok.
>
> IP_LAN -------(ping)--------> IP www.cisco.com = Not OK
> Firewall -------(ping)--------> IP www.cisco.com = OK

DNS might also be a factor. Only the firewall machine and 10.10.12.30 
would be able to get out to any external resolvers with that rule.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header



More information about the netfilter mailing list