Hello,
Diego K. a écrit :
Hello, I have the following problem
LAN ---------------------------------Etch Linux
Firewall-----------------------------------------------------Internet
10.1.x.x/16 | eth1:10.1.1.1 eth0:200.3.5.100
|
|
|
Server1: 10.1.1.50
[Beware of line wrapping]
When I get a conection from the internet to 200.3.5.100:80, the ip
forward works OK to server1, but when I try to connect to 200.3.5.100
from the LAN its does not work, I know that i can connect to 10.1.1.50
but I need from both IPs, private and public from the LAN
Well known routing problem. Replies from the server go directly back to
the client and arrive there with the wrong source address.
I have the following config
iptables -t nat -A PREROUTING -s 0/0 -p tcp -d 200.3.5.100 --dport 80
-j DNAT --to 10.1.1.50:80
iptables -A FORWARD -p tcp -d 10.1.1.50 --dport 80 -j ACCEPT
You must SNAT the connections coming from the LAN so the reply packets
go back to the firewall which puts back the correct source address.
Adding the following rule should do it :
iptables -t nat -A POSTROUTING -o eth1 -s 10.1.0.0/16 -d 10.1.1.50 \
-p tcp --dport 80 -j SNAT --to 10.1.1.1
Note that this will prevent the server from seeing the real source
address when a connection comes from the LAN using the public address.
Also make sure traffic in FORWARD from eth1 to eth1 is accepted.