Hello ! Ok, configured Outlook to make better replies ;-) [And I have notes in your original text]. I just spoke about Monit, because I thought, it is easier to describe. The main problem is accessing the apache web. For this, I have this iptable statements: #from extern to apache [apache using 192.168.2.254]: $IPTABLES -t nat -A PREROUTING -i eth1 -d $EXTADDR -p tcp --dport 80 -j DNAT --to-destination $INTADDR #from LAN machines [coming from 192.168.2.0/24]: $IPTABLES -t nat -A PREROUTING -i eth0 -d $EXTADDR -p tcp --dport 80 -j DNAT --to-destination $INTADDR This works fine. But if I am logged onto the firewall machine and use iceweasel interactively [on the gnome desktop] and or curl/wget from a cron job, this fails. I get a request timeout. This, in turn, may indicate, that I am missing a backward rule. This is my main concern [or my too small understanding of iptables ;-) ] Thank you for your replies so far!! Regards, ++mabra See my infra here: http://www.manfbraun.de/cont/tech/probs/Infra-1.png > -----Original Message----- > From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter- > owner@xxxxxxxxxxxxxxx] On Behalf Of Andrew Beverley > Sent: Saturday, September 01, 2012 5:15 PM > To: mabra@xxxxxxxxxxxx > Cc: netfilter@xxxxxxxxxxxxxxx > Subject: RE: IPTABLES:Let external address appear as an internal address > > On Sat, 2012-09-01 at 01:05 +0200, mabra@xxxxxxxxxxxx wrote: > > I studied the diagrams over and over and over again [Although , there > > are different schemas on the net, the last I've used, was on > > wikipedia]. > > I assume you mean this one[1]. That is the most accurate, although it might be > a bit too detailed for a beginner. > > > What you said, comes to my mind, but I am not sure, because, what is > > a "local process" > > A process running on the same machine that iptables is running on. > Packets to/from the local process will go via the INPUT/OUTPUT chains instead > of FORWARD. >From network programming, a process must to bind to an ip-address or interface. Does your statement mean, that roting never happens in the local machine ? If there is routing, then there is the POSTROUTING's SNAT which would help me. I am just thinging about making an additional interface, say, "eth0:0=192.168.1.1". In this case, can I have iptables route the packet to this interface? Then this would be another network! > > > is not quit clear in the diagram and > > the diagram has even not the usual LO interface, which is alway > > present too. > > The local interface is like a normal physical interface, so can be treated as such > when looking at the packet flow diagram. If you're accessing a local process > through lo, then packets will come in from lo, travel through INPUT, and be > received by the local process. Return packets generated by the process will be > returned via OUTPUT back to the lo interface. > > > Yes, the monit daemon runs on the firewall machine with the iptables. > > In which case you cannot use POSTROUTING to alter packets destined to it. > > > Even the internal web cannot be used on the local machine, > > There is no technical reason that it cannot. > > > This is not working [both, curl and wget say me: connection refused]. > > In which case either the daemon is refusing the connection or the packets are > being rejected by an iptables rule. > > > Seems to be the same > > issue. > > Same issue as what? Same situation like cron with wget/curl to access the "external apache" web. > > > I am working on this for about three day now and I am out of hope. > > What exactly are you trying to achieve? I have not used monit, but I would be > surprised if you have to translate addresses and ports to make it work how you > want it to. > > P.S. I recommend a better email client than MS Outlook if you want to partake > in mailing lists. This will allow you to perform proper quoting when replying :-) > > Andy > > [1] > http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet- > flow.svg > > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of > a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at > http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
