Jan Engelhardt wrote:
I have a rule on my friend's broadband connection to redirect traffic
from outside to an internal machine like,
iptables -A PREROUTING -d 1.2.3.4 -p tcp -m tcp --dport 80 -j DNAT \
--to-destination 192.168.10.10:80
But she complained that people from inside the network cannot do
http://1.2.3.4 in their browser and see the site. Is she correct?
What is wrong with my rule because I can see the site from outside?
The packet must pass the machine the DNAT rule is on to make the dnat
effective.
And then there should be a filter table rule to ACCEPT those packets, or
at least nothing to DROP or otherwise not accept them.
With a typical (Packet-Filtering-HOWTO-inspired) firewall with default
DROP policy in FORWARD, you need a corresponding ACCEPT rule in FORWARD
for every DNAT. In crafting such rules remember that the destination has
already been rewritten in nat/PREROUTING.
The Web proxy suggestion has me puzzled. :)
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
