Re: PREROUTING problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

Diego K. a écrit :
Hello, I have the following problem

LAN ---------------------------------Etch Linux
Firewall-----------------------------------------------------Internet
10.1.x.x/16    |             eth1:10.1.1.1             eth0:200.3.5.100
                        |
                        |
                        |
Server1: 10.1.1.50

[Beware of line wrapping]

When I get a conection from the internet to 200.3.5.100:80, the ip
forward works OK to server1, but when I try to connect to 200.3.5.100
from the LAN its does not work, I know that i can connect to 10.1.1.50
but I need from both IPs, private and public from the LAN

Well known routing problem. Replies from the server go directly back to the client and arrive there with the wrong source address.

I have the following config

iptables -t nat -A PREROUTING -s 0/0 -p tcp -d 200.3.5.100 --dport 80
-j DNAT --to 10.1.1.50:80
iptables -A FORWARD -p tcp -d 10.1.1.50 --dport 80 -j ACCEPT

You must SNAT the connections coming from the LAN so the reply packets go back to the firewall which puts back the correct source address. Adding the following rule should do it :

iptables -t nat -A POSTROUTING -o eth1 -s 10.1.0.0/16 -d 10.1.1.50 \
  -p tcp --dport 80 -j SNAT --to 10.1.1.1

Note that this will prevent the server from seeing the real source address when a connection comes from the LAN using the public address.

Also make sure traffic in FORWARD from eth1 to eth1 is accepted.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux