В Пнд, 03/12/2007 в 15:44 +0100, Jakub Nadolny пишет: > On Mon, Dec 03, 2007 at 03:12:25PM +0100, Pascal Hambourg wrote: > >> <citaat van="Jakub Nadolny"> > >>> I try to do simple address:port forwarding and I can not get it > >>> working. I want to have all traffic send to > >>> some.internet.address:some_port to be forwarded to 192.168.155.123:80. > >>> > >>> So I guess following rule should work fine: > >>> iptables -t nat -A PREROUTING -p tcp -d some.internet.address --dport > >>> 1234 > >>> -j DNAT --to 192.168.155.123:80 > >>> > >>> But when afterthat I enter some.internet.address:1234 in firefox I can > >>> not see webpage which is located at 192.168.155.123. It tries to connect > >>> but there is no result. > >>> > >>> What could be the reason of that? > >> If you are doing this from the same network the webserver is on, this will > >> not work. The return traffic is going straight back to the client instead > >> of being 'Natted-back' by the firewall. > > > > That's when the DNAT is done on a router and the browser and the server are > > on the same side of the router. The workaround is to SNAT the DNAT-ed > > connection in the POSTROUTING chain as it is forwarded back to the LAN. > > Take care to SNAT only connections from the local network, not those from > > the internet because it hides the original source address. > > > > If you are not doing the port forwarding on a router but on the box the web > > browser is running on, the DNAT must be done in the OUTPUT chain instead of > > PREROUTING. > > Unfortunatelly result is the same when I try to connect from outside of > local network. > > So my configuration is like that: > > web server | | server with NAT | | > 192.168.155.123 |--------| 192.168.155.122 |-------| Internet > | | some.internet.ip | | > > Whether I connect from my local network (192.168.155.*) or from outside > result is the same. > In web browser I enter IP address - not domain name. > > # iptables -t nat -L -n > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > DNAT tcp -- 0.0.0.0/0 some.internet.ip tcp dpt:80 to:192.168.155.123:80 > > To be sure I have temporarly turned off all other rules: > > # iptables -L -n > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > > Do you have some suggestions? First of all make some checks with tcpdump to see the packets. Do you see them entering www-server? Leaving the router? Make sure www-server's virtualhosts will accept domain you are redirecting. -- Покотиленко Костик <casper@xxxxxxxxxxxx> - To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
