Re: dnatting

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jul 11, 2005 at 11:18:30AM -0400, Payal Rathod wrote:
> Hi,
> I have a rule on my friend's broadband connection to redirect traffic 
> from outside to an internal machine like,
> 
> iptables -A PREROUTING -d 1.2.3.4 -p tcp -m tcp --dport 80 -j DNAT  \
> --to-destination 192.168.10.10:80
> 
> But she complained that people from inside the network cannot do
> http://1.2.3.4 in their browser and see the site. Is she correct?
> What is wrong with my rule because I can see the site from outside?

1)  client; say 192.168.10.100, sends TCP SYN to 1.2.3.4

2)  iptables machine receives packet destined for 1.2.3.4, DNAT's it to
    192.168.10.10 and forwards the packet out the internal interface

3)  192.168.10.10 receives TCP SYN from 192.168.10.100 and replies
    directly to 192.168.10.100 with a SYN/ACK

4)  client; 192.168.10.100, receives SYN/ACK from 192.168.10.10 and
    discards it, as it matches no connection in the SYN_SENT state
    (recall that our SYN was sent to 1.2.3.4).

that the why.  the proper way to avoid this is to have people on the
inside connect to 192.168.10.10.  i will leave all the half-assed
work-arounds and kludges as an exercise for the reader and other
posters.

-j

--
"Peter: This party couldn't be better if Jesus was here.
 Jesus: For my next miracle, I will turn water... into FUNK."
        --Family Guy


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux