On Sat, 2005-11-05 at 08:25 -0600, Nathaniel Hall wrote: > Craig White wrote: > > >On Fri, 2005-11-04 at 08:35 -0600, Nathaniel Hall wrote: > > > > > >>I know this sounds like a stupid questions, but I'm gonna ask anyway. I > >>would like to create a router using Fedora Core 3 (or 4) and netfilter, > >>but I don't want to masquerade. Am I going to have to do SNAT and DNAT > >>or is there any way I can do it without any kind of nat. > >> > >> > >---- > >it might be easier to make suggestions if it were clearer what you had > >in mind. > > > >A router doesn't need to do NAT if the clients know where there are > >going (i.e. static routes) or it very well may be a proxy server like > >squid will do what you want. > > > >Craig > > > > > I have a setup with multiple firewalls around my DMZ. The DMZ is > addressed with legal IP addresses and the internal network is addressed > with private addresses. I perform many to one NAT on the external > firewall and simply route (and filter) at the internal firewall. This > keeps me from having to figure out which internal IP address was NATed > to which external IP address when I am looking at access logs. The > internal firewall took very little setup, but it isn't netfilter. Is > there any way to get FC4 to do the same? ---- Still not entirely clear but perhaps I'm not smart enough. It sounds to me like you are doing a double NAT with both firewalls. Thinking that your external firewall provides NAT to computers in DMZ and external address of your internal firewall and your internal firewall is providing NAT to your the private address systems on your LAN, then your systems on the LAN are using the internal IP of your internal firewall as their default gateway and that means the internal firewall is providing NAT. If you didn't want to do NAT through the internal firewall, you would have to set the default gateway to the internal side of your external firewall and a static route for these systems to know how to get there which seems to be too much of a hassle...hence doing NAT on the internal firewall makes sense. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.