Re: External Resolved IPs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2003-06-16 at 17:00, Herbert G. Fischer wrote:

> My problem is that, when I try to connect to a internal server, using the
> external and real
> IP, I cannot because my FW/NAT appears to be confused or misconfigured.
> 
> For example:
> 
> Internal Network: 172.16.48.0/24
> 
> My IP: 172.16.48.10
> Server Internal IP: 172.16.48.20
> * Both are on the same network
> 
> Server External IP: 200.180.180.20 (IP alias on FW/NAT machine, that
> redirects to 172.16.48.20)
> DNS name of Server: server.domain.com, points to 200.180.180.20

> # server
> iptables -t nat -A POSTROUTING -s 172.16.48.20 -j SNAT --to-source
> 200.180.180.20
> iptables -t nat -A PREROUTING -s 0/0 -d 200.180.180.20 -j
> DNAT --to-destination 172.16.48.20
> 
> # NAT for the rest of the world
> iptables -t nat -A POSTROUTING -o eth1 -s 172.16.48.0/24 -j SNAT --to-source
> 200.180.180.22

When a request from a local client arrives at the iptables box addressed
to 200.180.180.20, it hits PREROUTING and is DNATted to the appropriate
server.  Problem is that the server tries to reply directly to the
client, (since it's a local IP) which sees a 'new' connection from
172.16.48.20, which it ignores.  Try adding:

iptables -t nat -A POSTROUTING -d 172.16.48.20 -s 172.16.48.0/24 -j SNAT
--to iptables.box.local.ip

With this additional rule in place, requests from local clients hit the
iptables box and are DNATted to the local server, then before leaving
the iptables box they are SNATted so that the server sends its reply
back to the iptables box.  When that reply is received by the iptables
box, it unSNATs and restores the correct destination IP (the local
client) then before it leaves the box it unDNATs to restore the correct
source IP (the local server's public IP).

j




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux