Hi guys,
Suppose I have the following configuration:
------------------
LAN --------| eth0 eth1 |-------Internet
| |
------------------
Linux Router
eth0_IP = 192.168.0.1 (LAN)
eth1_IP = 194.105.29.2 (IP)
I use the machine only as a router so all the other services (HTTP, FTP)
are
hosted on another machine, connected in my LAN (192.168.0.2)
My LAN clients use the Linux machine as a NAT firewall. (SNAT in fact)
I have only one IP given by my ISP, for my whole home network
(194.105.29.2)
So accessing different services on my LAN, from the internet, must be
done through
that single IP (even though the services are hosted on different
machines).
So the solution is DNAT :)
Here is what I have done:
iptables -t nat -A PREROUTING -i eth1 -d 194.105.29.2 -p TCP --dport 80
-j DNAT --to-destination 192.168.0.2
When I try to access the web server from the Internet the DNAT is
working!
Now, the problem comes when a machine like 192.168.0.121 wants to access
the web server.
(Keep in mind that the client - 192.168.0.121 is on the same subnet as
the web server - 192.168.0.2)
This machine (192.168.0.121) will send a request to 194.105.29.2 wanting
to access the web server.
The router will "redirect" the request to 192.168.0.2 (as it is supposed
to do).
Now when the packets arrive on 192.168.0.2, the web server will see
packets from 192.168.0.121.
He will send the packets to 192.168.0.121 as it was requested, BUT NOT
THROUGH THE ROUTER!!!
192.168.0.2 is on the same subnet as 192.168.0.121, so the packets will
follow the shorter route,
avoiding the Linux router.
Now, the web browser on 192.168.0.121 will see packets coming from
192.168.0.2, and it will assume
they are bogus packets, and will ignore them... SO, NO CONNECTION...
Remember 192.168.0.121 asked for packets from 194.105.29.2 and not from
192.168.0.2!!!
What can I do to allow my LAN clients to access the web server through
the router?
Please write me a line of code :) I am new to "iptables" :(
Thanking you in advance,
Mihai Vlad
