-----BEGIN PGP SIGNED MESSAGE----- Hi Jan!
I need every traffic (all ports/protocols) from Internet to our public address <PUB1> to forward/masq to private address <PRIV1> and the same thing with the second -- <PUB2> to forward/masq to <PRIV2>.
OK. That sounds easy, but I don't think it is possible using the options in SuSEfirewall2. My understanding of how iptables work is still limited, and I'm unable to test anything here (being stuck with only one public IP). Something along the following (completely untested!) *might* work, either in fw_custom_before_masq() or fw_custom_before_denyall(): ========== snip for DEV in $FW_DEV_EXT; do $IPTABLES -A PREROUTING -j DNAT -t nat -s 0/0 -d $PUB1 --to-destination $PRIV1 -i $DEV $IPTABLES -A PREROUTING -j DNAT -t nat -s 0/0 -d $PUB2 --to-destination $PRIV2 -i $DEV for CHAIN in forward_ext forward_dmz forward_int; do $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT-DNAT " -s 0/0 -d $PRIV1 -i $DEV $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s 0/0 -d $PRIV1 -i $DEV $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT-DNAT " -s 0/0 -d $PRIV2 -i $DEV $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s 0/0 -d $PRIV2 -i $DEV done done # For outbound connections from $PRIV1 and $PRIV2 only (not sure) for DEV in $FW_DEV_EXT; do for CHAIN in forward_ext forward_dmz forward_int; do $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT-SNAT " -s $PRIV1 -d 0/0 -o $DEV $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s $PRIV1 -d 0/0 -o $DEV $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT-SNAT " -s $PRIV2 -d 0/0 -o $DEV $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s $PRIV2 -d 0/0 -o $DEV done $IPTABLES -A POSTROUTING -j SNAT -t nat -s $PRIV1 -d 0/0 --to-source $PUB1 -o $DEV $IPTABLES -A POSTROUTING -j SNAT -t nat -s $PRIV2 -d 0/0 --to-source $PUB2 -o $DEV done ========== snip Regards, Andy - -- Andreas J. Mueller email: <andy@muelli.net> PGP RSA Public Key ID 0x3D41D941 FP: ED261973D51D3D20 C840B0542E69F602 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (MingW32) iQC9AwUBPaVfq/obN5o9QdlBAQEpNwU/THo1c192E/aorSqTULozizcJjK5bk8d5 fzradohsTeMKrEufq1TNqfcqpQ1nJaYpGyUdGuZR/qh8QRq55g9gOs/2BmXV+zbg K3TiEY0GUmA0pUw7e6zu6wBCoKfRkpFDM3zF4y7QYvTvALkp9hbX5rYN8I0WdgsP 78AVJwMAlFs2ucfhbgb9U5DK7U8JM9HSk8B9VcxT0sVwMseIjfo4hkWb/fGHEFA6 =enQs -----END PGP SIGNATURE-----