Re: Redirect back to internal network

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 11/07/08 11:06, Henrique Netfilter wrote:
Apparently it did work. But once my web server answers, the answer is not sent back to the machines in my internal network. 

Anyone that can give me some light into it?


Now that things are working, I'll explain why it was not working before.

lan.C is the internal IP of the LAN client.
lan.R is the internal IP of the router.
www.R is the external IP of the router.
www.S is the external IP of the server.
lan.S is the internal IP of the server.
The client sends the request packet with a source IP of 'lan.C' and a destination IP of 'www.S'.
The router receives the packet with a source IP of 'lan.C' and a destination IP of 'www.S'. The router knows that any traffic going to 'www.S' (port 80) is to be redirected to the internal server 'lan.S'. So the router NATs the destination address and sends a new packet with a source IP of 'lan.C' and a destination IP of 'lan.S'.
The server receives the packet with a source IP of 'lan.C' and a destination IP of 'lan.S'. The server will process the request and reply with a new packet. The server sends a new packet back to the client with a source address of 'lan.S' and a destination IP of 'lan.C'.
The client receives a reply packet with a source IP of 'lan.S' and a destination IP of 'lan.C'. This reply packet does not match any packet that the client knows about so it disregards (it may also tell the server to reset the connection). 

This is the simple premise of what I refer to as the "TCP Triangle".
You can see from the above and the rules in my other email that the router will have to SNAT / MASQUERADE any traffic /from the lan/ that is being redirected to the server. This way the server will reply back to the router which will then reply back to the client. 

A short packet flow will look like this:

lan.C -> www.S    # Client sends the request

lan.C -> lan.S    # Router DNAT's the request
lan.R -> lan.S    # Router SNAT's the request

lan.R -> lan.S    # Server receives the request
lan.S -> lan.R    # Server sends to the reply

lan.S -> lan.C    # Router (un)DNAT's the reply
www.S -> lan.C    # Router (un)SNAT's the reply

www.S -> lan.C    # Client receives the reply



Grant. . . .
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux