On Friday 22 November 2002 06:32 am, americo.sb wrote: > 1 - snat > iptables -t nat -A POSTROUTING -o eth0 -p tcp -j SNAT --to- > source 200.200.200.200 > 2 - dnat > iptables -t nat -A PREROUTING -i eth0 -d 200.200.200.200 -p > tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.254:8080 > > the problem =EDs: > if i write www.work.com from my house OK - go to my > ns_server.work.com > go ns1_server.my.work.com (iptables server - Name Server) > go http_server.work.com > if i write www.work.com from my lan, error, server not found. Oscar's tutorial covers precisely this situation at=20 http://iptables-tutorial.frozentux.net/chunkyhtml/targets.html#DNATTARGET= =20 The gist of it is that you should add an extra SNAT rule, something like iptables -t nat -a POSTROUTING -d 10.0.0.254 -j SNAT --to 10.0.0.1 www.work.com will realize that the client is on the LAN, and the response= s=20 will be routed directly to the client instead of through the firewall. =20 Problem is that the client is expecting this response from the firewall's= =20 public IP, NOT the DNATted server... The above SNAT will ensure that all= =20 DNATted connections will return to the firewall from www.work.com, regard= less=20 of whether or not they are to local IPs. j
