The problem is not iptables, but the routing. A short excourse. The subnet mask connected with an a ip address determines, whether another ip should be reachable via the standard gateway or directly through a certain nic. For example (only 1 NIC in your box) 192.168.1.0/24 means a subnetmask of 255.255.255.0 so if the routing part of your kernel has to reach 192.168.2.1 it does following: own ip AND 255.255.255.0 = 192.168.1 other ip AND 255.255.255.0 = 192.168.2 if the results differ the routing routine decides to take the standard gateway. To be more precious: any box in your 10.1.1.1/8 network will not be routed through your standard gateway according above description. For example 10.1.1.30 want to reach mail server. 10.1.1.20 and 255.0.0.0 = 10.0.0.0 10.1.1.30 and 255.0.0.0 = 10.0.0.0 result DONT differ, so kernel will send packets directly. Solution: add extra routes for e.g mail server route add 10.1.1.20 netmask 255.0.0.0 gw your.ext.ip.addr hope that helps Yours Michael BTW: Why you want to do so - logging purposes ?
I have a dmz firewall setup that connects 2 private networks with the public Internet (net1 and net2).
I don't seem to be able to get my configuration to the point where a machine in net1 can connect to another machine in net1 trough its public IP address. Example: dmz router: 10.1.1.1 mail server: 10.1.1.20 http server: 10.1.1.30
I would like to enable the http server to to go to the mail server through the public IP address of the mail server rather than being limited to going straight to 10.1.1.20.
All machines have 10.1.1.1 as their default gateway and NAT for mail connections from the outside works. I don't see any packets being dropped on the firewall since I allowed port 25 connections from the inside of the firewall as well.