> -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Zac Hansen > Sent: Friday, October 21, 2005 7:00 AM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: LAN Port forwarding with a dynamic IP address > > I have a single, dynamic IP address. I have multiple boxes > behind a linux router, one of which runs a web server on port > 80. I have set up rules (a PREROUTING and a FORWARD rule) to > let people outside my LAN deal see my web server. The problem > is that the boxes on my LAN can't see them. > > I really don't want to hardcode my external IP address into > any rules and I don't want to do any DNS work to make the LAN > boxes look up the actual server's LAN IP address directly. > > Can I get my LAN boxes to see my web site and not do the > things I don't want to do? > > Thanks. > > --Zac Your internal boxes will never see the website unless you add internal DNS, do something extremely complicated with scripts and routing and mangling of packets, or go with a three-legged setup. The reason for this is that without manipulation, a router will never send a packet *out* through the same interface it came *in* on. What you want is for your internal LAN boxes to send a packet destined to your dynamic external IP to your firewall's LAN interface and for your firewall to say, "Hey, that server is actually <internal IP>! Let's bounce this packet there!" after which it would mangle the destination IP to be the internal IP and send it back. Also, you have to convince the kernel's routing functions to take a packet which has nothing to do with that machine and send it on to your internal webserver for every request since your internal LAN boxes will always believe the web server is at the external IP. I'm sure it can be done, but internal DNS is much easier, believe me. Derick Anderson
