iptables question

Hello, I'm writing some iptable rules that will allow 2 internal
subnets to be NAT'ed to one IP. I also want to be able to
directly access these boxes on this internal LAN to be directly
reachable by their internal IP's. The following rules don't seem
to get the job done:

iptables -t nat -A POSTROUTING -o eth1 -s 172.31.7.0/24 -j SNAT
--to-source 216.xxx.xxx.17
iptables -t nat -A POSTROUTING -o eth1 -s 172.31.8.0/24 -j SNAT
--to-source 216.xxx.xxx.17
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

eth0 is the internal interface and eth1 is the external. The problem
is these rules arn't working, and I'm not sure why. I can't get any
of the hosts behind the NAT to ping the next hop router. Can anybody
see anything wrong?

adam wrote:
> Hello, I'm writing some iptable rules that will allow 2 internal
> subnets to be NAT'ed to one IP. I also want to be able to
> directly access these boxes on this internal LAN to be directly
> reachable by their internal IP's. The following rules don't seem
> to get the job done:
>
> iptables -t nat -A POSTROUTING -o eth1 -s 172.31.7.0/24 -j SNAT
> --to-source 216.xxx.xxx.17
> iptables -t nat -A POSTROUTING -o eth1 -s 172.31.8.0/24 -j SNAT
> --to-source 216.xxx.xxx.17
> iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
> iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
>
> eth0 is the internal interface and eth1 is the external. The problem
> is these rules arn't working, and I'm not sure why. I can't get any
> of the hosts behind the NAT to ping the next hop router. Can anybody
> see anything wrong?

echo "1" > /proc/sys/net/ipv4/ip_forward

you better use this

iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED
-j ACCEPT

Eric