Hello ! I do not understand iptables too deep, ... but some day, I had the same problem and used this advice: >Accessing a DNAT sever from the local LAN using the public IP address< http://www.rigacci.org/wiki/doku.php/doc/appunti/linux/sa/iptables This is in use for my private home LAN, which is not tooo solid. In case of failure, the dns resolution fails and my internal nodes are no longer reachable. I am on rewrite and will use a separate DNS for internal access. May be, that helps. Regards, Manfred > -----Original Message----- > From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter- > owner@xxxxxxxxxxxxxxx] On Behalf Of Jeremy Hansen > Sent: Friday, January 13, 2017 10:15 AM > To: netfilter@xxxxxxxxxxxxxxx > Subject: Routing LAN to external IP from behind NAT > > I have a Linux firewall/NAT host on my network port forwarding specific > ports such as port 80 to a host within the LAN. This works fine when I’m > connecting from outside of the LAN. What do I have to do with iptables so > I can access these things from within the LAN without having to do > something like fake dns so it uses internal IPs to access these hosts and > ports? > > Current ruleset looks like this: > > Chain INPUT (policy ACCEPT) > target prot opt source destination > LOG_AND_DROP all -- 43.229.53.68 0.0.0.0/0 > LOG_AND_DROP all -- 46.148.18.162 0.0.0.0/0 > LOG_AND_DROP all -- 159.226.35.207 0.0.0.0/0 > LOG_AND_DROP all -- 111.224.46.7 0.0.0.0/0 > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state > RELATED,ESTABLISHED > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT tcp -- 0.0.0.0/0 192.168.10.10 tcp dpt:80 > state NEW,RELATED,ESTABLISHED > ACCEPT tcp -- 0.0.0.0/0 192.168.10.10 tcp dpt:443 > state NEW,RELATED,ESTABLISHED > ACCEPT tcp -- 0.0.0.0/0 192.168.10.10 tcp dpt:25 > state NEW,RELATED,ESTABLISHED > ACCEPT tcp -- 0.0.0.0/0 192.168.10.10 tcp dpt:587 > state NEW,RELATED,ESTABLISHED > ACCEPT tcp -- 0.0.0.0/0 192.168.10.10 tcp dpt:143 > state NEW,RELATED,ESTABLISHED > ACCEPT tcp -- 0.0.0.0/0 192.168.10.10 tcp dpt:993 > state NEW,RELATED,ESTABLISHED > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain LOG_AND_DROP (4 references) > target prot opt source destination > LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 > level 4 prefix `HOST DENIED: ' > DROP all -- 0.0.0.0/0 0.0.0.0/0 > > > Trying to connect to port 80 on the external IP from within the lan > results in this: > > telnet www.blah.com 80 > Trying 111.114.34.128... > telnet: connect to address 111.114.34.128.: Connection refused > telnet: Unable to connect to remote host > > Thank you for any help. > > -jeremy > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
