Thanks Joel. It works like a charm. Jiwei -----Original Message----- From: Joel Newkirk [mailto:netfilter@xxxxxxxxxx] Sent: Sunday, March 16, 2003 3:04 PM To: Jiwei Wang; netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: Is it possible connecting to a forwarded port from inside the network? On Sunday 16 March 2003 02:18 pm, Jiwei Wang wrote: > Hello, > > > > I'm using iptables on a RedHat 8.0 box to do firewalling and port > forwarding. The port-forwarding works perfectly when accessed from > outside my internal networks. However, I cannot access the forwarded > ports from inside the network. > > > > I tried to use two IP addresses to do this. That is, I have public IP > addresses a.b.c.x and a.b.c.y both assigned to my Internet facing > eth0; I use a.b.c.x for SNAT and a.b.c.y for DNAT port forwarding > (a.b.c.y:80 is forwarded to an internal host port 80); from the > Internet a.b.c.y:80 works ok, but I still cannot access a.b.c.y:80 > from any of my internal box. add this, where d.e.f.y is the IP of the internal host, and d.e.f.z is the internal IP of the firewalling box: iptables -t nat -A POSTROUTING -o eth1 -d d.e.f.y -p tcp --dport 80 -j SNAT --to d.e.f.z This will force a.b.c.y to respond to the firewall instead of directly to the client, so that the reverse DNAT can take place. As it stands, the server is probably trying to reply directly to the client, which is discarding the reply. (it's waiting for a response from a.b.c.y, not d.e.f.y!) Once the reply comes back to the firewall, it will undo the SNAT, setting the destination of the reply back to the original client, then it will undo the DNAT, setting the 'source' of the reply back to the public IP a.b.c.y. j
