IPTABLES CONFUSION

Help I'm totally confused by iptables.

What I want is to be able to assign a static public ip address to one of
my servers (WEB server) and then to dynamically NAT all other servers to a separate
publilc ip address. This will mean that

WEB server = in/out on own public address

others = out on shared public address and no ability to connect to the
servers from outside our network

I followed the manual and the various example scripts I cam across but the
best I can get is all my servers including the WEB server DNAT'ing on a single public ip
address going out and able to come back in to the WEB server via it's
individual public ip address.

This is the script I have crafted

================================================== =====================================
#!/bin/bash
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

# DNAT
iptables -A POSTROUTING -t nat -o eth0 -s 192.178.107.0/24 -d 0/0 -j MASQUERADE
iptables -A FORWARD -t filter -i eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# SNAT local network to internet
iptables -t nat -A POSTROUTING -s 212.87.187.140 -o eth0 -j SNAT --to-source 192.178.107.140

# DNAT internet to local network
iptables -t nat -A PREROUTING -d 212.87.187.140 -i eth0 -j DNAT --to-destination 192.178.107.140

# forwarding to SNAT servers
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.178.107.140 -m multiport --dport 80,443,22 -m multiport --sport 1024:65535 -m state --state NEW -j ACCEPT

# forwarding to DNAT servers
iptables -A FORWARD -t filter -i eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
================================================== =====================================

When I test this, it seems that the rule

# SNAT local network to internet
iptables -t nat -A POSTROUTING -s 212.87.187.140 -o eth0 -j SNAT --to-source 192.178.107.140

is not working as I am connecting to other servers on the internet with
the gateways address of 192.178.107.139

yet the rule

# DNAT internet to local network
iptables -t nat -A PREROUTING -d 212.87.187.140 -i eth0 -j DNAT --to-destination 192.178.107.140

is working as I can connect from the internet.

So where am I going wrong?

TIA.

On Thu, 10 Jun 2004 08:26:06 +0100, Charles Prince wrote:

<snip>

Solved the problem.

Basically do not use masquerade and switch the public and private ip's in
the example scripts on the SNAT line.