Cedric Blancher a écrit :
Le dim 11/01/2004 à 13:53, Romain Moyne a écrit :
Ok. I begin to understand... Now I have corrected my rules :
iptables -t nat -A POSTROUTING -j SNAT -o ppp0 --to-source My_ip_on_internet
OK, fine. Now it should work ;)
But now I have a new problem : My router, my http server and my
workstation are connected with a hub.
[Snip ASCII art]
I can't access to my webserver with my workstation and it very painful....
Can you still help me ? :-D
To complete Antony's answer, trying to reach your webserver from your
LAN with its public IP is a common issue that constitue a FAQ.
We will describe what happens when your workstation (WS) tries to
connect to your Webserver (WB) via your router (R) public IP (PPP0).
WS sends a SYN to R, port 80
SYN : WS -> PPP0
R receive the SYN and DNAT it to WB, port 80
SYN : WS -> WB
WB receive the SYN and answers.
SYN,ACK : WB -> WS
But, as WB and WS are on the same network, WB answers directly to WS,
without using R as gateway. So, WS receive a SYN,ACK from WB, but was
waiting for a SYN,ACK from PPP0. That's why the connection fails.
To address this issue, you have to SNAT this kind of connection on the
router so WB answers through R :
iptables -t nat -A POSTROUTING -s $LAN -d $WB -j SNAT --to $ETH0
What must I write instead of $LAN and $ETH0 ?
I completly agree Antony's advice on DMZ use. From security point of
vue, redirecting a service within LAN is a major architectural flaw.
