On Mon, Feb 24, 2014 at 1:13 PM, Scott Mayo <scotgmayo@xxxxxxxxx> wrote: > On Mon, Feb 24, 2014 at 12:22 PM, Scott Mayo <scotgmayo@xxxxxxxxx> wrote: >> On Mon, Jan 27, 2014 at 1:22 PM, Scott Mayo <scotgmayo@xxxxxxxxx> wrote: >>> I am having some troubles getting my public IPs routed to my private IPs. >>> >>> Here is an example. >>> Private IP of the main server with my IPTables: 192.168.0.1 >>> Public IP of the main server: 1.1.1.1 >>> I also have 1.1.1.2 and 1.1.1.3 as public IPs attached to the public nic. >>> Domain name example.org is pointed to 1.1.1.2 >>> >>> I am trying to get the following public IPs to Private IPs: >>> 1.1.1.2 -> 192.168.0.2 >>> 1.1.1.3 -> 192.168.0.3 >>> >>> If I am outside my network and go to example.org, it seems to work fine. >>> If I am inside my network and go to 192.168.0.2 then it works fine. >>> If I go to example.org from inside my network then it goes back to >>> 192.168.0.1 instead of 192.168.0.2 >>> >>> Maybe this does not have to do with IPTables even since it works with >>> an IP, but I thought I would ask here. I do not have an internal DNS >>> server. >>> >>> Here are the rules that I have: >>> >>> IPTABLES -t nat -A PREROUTING -d 1.1.1.2 -p tcp -j DNAT >>> --to-destination 192.168.0.2 >>> IPTABLES -t nat -A POSTROUTING -d 192.168.0.2 -j SNAT --to-destination 1.1.1.2 >>> >>> Any suggestions would be appreciated. >>> Thanks. >> >> >> I ended up finishing my setup on my new filter server. I had not >> messed with this problem and wanted to wait until I got it into place. >> I am back to it now. I appreciate the suggestions so far. I am >> getting ready to setup an internal DNS server, but until I do, I would >> like to get the IPTABLES working. >> >> Here are the IPTABLE rules that I have in place: >> >> $IPTABLES -t nat -A PREROUTING -d 1.1.1.2 -p tcp -j DNAT >> --to-destination 192.168.0.2 >> $IPTABLES -t nat -A POSTROUTING -d 192.168.0.2 -s 192.168.0.0/16 -j >> SNAT --to-source 1.1.1.2 >> $IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.1.1.1 >> >> Here is quick breakdown >> ifcfg-eth0 = 1.1.1.1 #public IP of the main Squid/IPTABLES box >> ifcfg-eth0:0 = 1.1.1.2 #Virtual IP which I want to forward on to the >> other webserver box: example.org >> example.org resolves to 1.1.1.2 fine >> ifcfg-eth1 = 192.168.1.1 #private IP of the main Squid/IPTABLES box >> 192.168.1.2 #Is the private IP that I want forward on to the other >> webserver box: example.org >> >> My IPTABLES are on my Squid box. I have just played some more and >> found that if I take the proxy settings out of my browser and type in >> example.org in the URL, it works fine. >> >> If I leave the proxy settings in and type in example.org then it comes >> back to the main Squid box address of 192.168.1.1. >> >> Any idea why that would matter? I do drop port 80 and port 3128 so >> that the proxy cannot be gone around. For testing purposes though, I >> took those two drops out and it is still doing it. >> >> I'll get a copy of my IPTABLE rules and post also. Just thought I >> would post this first and see if someone had an idea of what I might >> be looking for. > > > It just dawned on me that this may be pulling from the Squid cache so > I'll wait until after school and clear that. Maybe my IP rules are > correct now since it is working without going through the proxy. I just wiped my Squid cache and that was not it. I have even put in a very, very simple set of rules that I will post below. example.org is pointed to the 1.1.1.2 IP address. If I go to example.org (private = 192.168.0.2/public = 1.1.1.2) without the proxy settings in the browser to point to my Squid box (192.168.0.1) then it resolves fine. If I go to example.org with the proxy settings in my browser to point to my Squid box then it takes me to the webserver on 192.168.0.1 (which is my squid box and has the IPTABLES on it). I guess I am not understanding why it would make any difference if I am directed through the proxy or not since everything goes through this box one way or another. Here is the simple IPTABLES that I used to test with. Thanks for any info. #!/bin/sh EXT_IP="1.1.1.0/24" EXT_IFACE="eth0" EXT_BROADCAST="1.1.1.255" INT_IP="192.168.0.1" INT_IP_RANGE="192.168.0.0/16" INT_IFACE="eth1" LO_IFACE="lo" LO_IP="127.0.0.1" IPTABLES="/sbin/iptables" /sbin/depmod -a /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state #Non required modules /sbin/modprobe ipt_owner /sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc #/sbin/modprobe ip_nat_ftp #/sbin/modprobe ip_nat_irc echo "1" > /proc/sys/net/ipv4/ip_forward #Create default policies and FLUSH the chains $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD ACCEPT $IPTABLES -F FORWARD $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F #Allow the local network $IPTABLES -t nat -A PREROUTING -d 1.1.1.2 -p tcp -j DNAT --to-destination 192.168.0.2 $IPTABLES -t nat -A POSTROUTING -d 192.168.0.2 -s 192.168.0.0/16 -j SNAT --to-source 1.1.1.2 $IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.1.1.1 -- Scott Mayo Mayo's Pioneer Seeds -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
