Le dim 11/01/2004 à 13:53, Romain Moyne a écrit : > Ok. I begin to understand... Now I have corrected my rules : > iptables -t nat -A POSTROUTING -j SNAT -o ppp0 --to-source My_ip_on_internet OK, fine. Now it should work ;) > But now I have a new problem : My router, my http server and my > workstation are connected with a hub. [Snip ASCII art] > I can't access to my webserver with my workstation and it very painful.... > Can you still help me ? :-D To complete Antony's answer, trying to reach your webserver from your LAN with its public IP is a common issue that constitue a FAQ. We will describe what happens when your workstation (WS) tries to connect to your Webserver (WB) via your router (R) public IP (PPP0). WS sends a SYN to R, port 80 SYN : WS -> PPP0 R receive the SYN and DNAT it to WB, port 80 SYN : WS -> WB WB receive the SYN and answers. SYN,ACK : WB -> WS But, as WB and WS are on the same network, WB answers directly to WS, without using R as gateway. So, WS receive a SYN,ACK from WB, but was waiting for a SYN,ACK from PPP0. That's why the connection fails. To address this issue, you have to SNAT this kind of connection on the router so WB answers through R : iptables -t nat -A POSTROUTING -s $LAN -d $WB -j SNAT --to $ETH0 I completly agree Antony's advice on DMZ use. From security point of vue, redirecting a service within LAN is a major architectural flaw. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!
