Hello,
support@xxxxxxxxxxx a écrit :
Now my traffic hits the WAN interface of iptables, is mapped to the
private IP, hits the box on the LAN. But for traffic originating from
the box destained to the WAN, it appears to the WAN as just any other
box coming out of the NAT pool, and appears to come from the gateway's
WAN interface. It does not appear to come from its public IP.
If I understand you well, this public IP address is distinct from the
router's WAN IP address which is used for masquerading the LAN, and you
would like to do some 1:1 static NAT in both directions for that box.
So, here is the part that is "interesting trafic" to my discussion.
Question 1: Do I care? Do I want those boxes that are mapped to public
IP's to appear to the WAN to be actually coming from those public IP's?
Don't ask us. You're the only one who can answer this question. If you
answer "yes", here is some information.
In iptables, NAT comes in two *independent* forms :
- Destination NAT (DNAT) often used for port forwarding.
- Source NAT (SNAT) often used for masquerading.
As these two forms are independent, bidirectionnal static 1:1 NAT must
combine SNAT for outbound communications and DNAT for inbound
communications :
iptables -t nat -A POSTROUTING -s private_ip -j SNAT --to public_ip
iptables -t nat -A PREROUTING -d public_ip -j DNAT --to private_ip
Of course the specific 1:1 SNAT rule must appear before the general LAN
masquerading rule in the POSTROUTING chain to have precedence over it.
But, most importantly, is question 2:
I can not see the websites that are hosted on this webserver on my LAN,
since those websites are for domains that have public DNS (and no split
horizon DNS)(we don't want split horizon DNS). Something is breaking
when my host tries to see these sites
This is a common issue. See
<http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html>.
First, I assume that traffic in the FORWARD chain from the router's LAN
interface to the same interface is allowed.
The thing that is breaking is asymmetric routing. The route from a
client to the NATed LAN server is through the router, but the return
route from the server to a LAN client is direct because they're on the
same IP subnet. Return packets from the server must go through the
router for proper de-DNAT operation, so you must restore symmetric
routing. The usual way of doing this is to perform SNAT on connections
routed from the LAN back to the LAN :
iptables -t nat -A POSTROUTING -o lan_iface -s lan_subnet -j SNAT \
--to router_ip
You can use either the public or private IP address of the router. The
drawback of this method is that the server does not see the real client
source address. There are possible workaround for this though, such as
using the NETMAP target to perform 1:1 SNAT to an unused subnet.
