Hello, Scott Mayo a écrit : > On Mon, Jan 27, 2014 at 2:48 PM, Ray Soucy <rps@xxxxxxxxx> wrote: >> The term you're looking for is "NAT reflection" or "hairpin NAT". >> >> If you're not running split DNS, then trying to reach a system via its >> "outside" IP from an internal system will present a problem because >> the source IP of the request is seen as on-link by the server, so the >> server responds directly from an unexpected source IP and the >> requesting host drops the request. >> >> You can get around this issue by NATing the return traffic when its to >> and from the internal network. >> >> Assuming that your inside interface is eth1, and your inside IP >> network is 192.168.0.0/23: >> >> iptables -A POSTROUTING -s 192.168.0.0/23 -d 192.168.0.0/23 -o eth1 -j >> MASQUERADE Instead of masquerading I would suggest to 1:1 map the source addresses to a different (unused) private subnet, so that the source address seen by the final server can be mapped back to the real source address. E.g. : iptables -A POSTROUTING -s 192.168.0.0/23 -d 192.168.0.0/23 -o eth1 \ -j NETMAP --to 192.168.8.0/23 > That did not seem to work either. Getting the same results. Thanks. Also make sure that "reflected" packets from eth1 to eth1 (replace with the real internal interface name) in the FORWARD chain are ACCEPTed. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
