Do a SNAT on the LAN interface for packets that goes to the private ip of webserver with source ip $LAN/$MASK. Something like: lan=eth1 ipl=192.168.0.1 <http://192.168.0.1> web=192.168.0.10 <http://192.168.0.10> net=192.168.0.0/24 <http://192.168.0.0/24> iptables -t nat -A POSTROUTING -o $lan -p tcp --dport 80 -d $web -s $net -j SNAT --to $ipl And a router will send packets wherever routing table says. Only rp_filter can drop some of them (not in your case). On 10/21/05, Derick Anderson <danderson@xxxxxxxxx> wrote: > > > > > -----Original Message----- > > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Zac Hansen > > Sent: Friday, October 21, 2005 7:00 AM > > To: netfilter@xxxxxxxxxxxxxxxxxxx > > Subject: LAN Port forwarding with a dynamic IP address > > > > I have a single, dynamic IP address. I have multiple boxes > > behind a linux router, one of which runs a web server on port > > 80. I have set up rules (a PREROUTING and a FORWARD rule) to > > let people outside my LAN deal see my web server. The problem > > is that the boxes on my LAN can't see them. > > > > I really don't want to hardcode my external IP address into > > any rules and I don't want to do any DNS work to make the LAN > > boxes look up the actual server's LAN IP address directly. > > > > Can I get my LAN boxes to see my web site and not do the > > things I don't want to do? > > > > Thanks. > > > > --Zac > > Your internal boxes will never see the website unless you add internal > DNS, do something extremely complicated with scripts and routing and > mangling of packets, or go with a three-legged setup. The reason for > this is that without manipulation, a router will never send a packet > *out* through the same interface it came *in* on. > > What you want is for your internal LAN boxes to send a packet destined > to your dynamic external IP to your firewall's LAN interface and for > your firewall to say, "Hey, that server is actually <internal IP>! Let's > bounce this packet there!" after which it would mangle the destination > IP to be the internal IP and send it back. Also, you have to convince > the kernel's routing functions to take a packet which has nothing to do > with that machine and send it on to your internal webserver for every > request since your internal LAN boxes will always believe the web server > is at the external IP. > > I'm sure it can be done, but internal DNS is much easier, believe me. > > Derick Anderson > > -- Bla bla
