Hello,
Rob Sterenborg a écrit :
$ipt -t nat -A PREROUTING -d 210.153.22.y -p tcp --dport 80 \ -j
DNAT --to 192.168.2.208
Zhen Zhou wrote:
Now another issue is pop up:
210.153.22.x is Internet gateway IP, 210.153.22.y is a public ip for
publish 192.168.3.208. ofcs, from Internet traffic to 192.168.3.208,
is go through 210.153.22.y. But in the another hand all the traffic
from 192.168.3.208 to outside, it will go to 210.153.22.x, could it
be a possible go via 210.153.22.y under some protocols? How to
configure?
Insert this kind of rule before the generic SNAT rule :
$ipt -t nat -A POSTROUTING -o <interface> -s 192.168.2.208 -p <proto> \
[--dport <port>] -j SNAT --to 210.153.22.y
[...]
A http connection is made to the server at destination port 80/tcp.
[...] So, return packets are coming from source port 80/tcp.
I think this is what you want:
$ipt -t nat -A POSTROUTING -s 192.168.2.208 -p tcp --sport 80 \
-j SNAT 210.153.22.y
This rule is useless to handle HTTP return packets. Return packets are
in the ESTABLISHED state and don't traverse the 'nat' chains.
Packets from 192.168.2.208:80 are SNAT-ed to 210.153.22.y
Yes, but not because of this SNAT rule but because of the DNAT rule
above and because stateful DNAT does implicit SNAT on return packets.
|