This works perfectly. Thank you very much! -jeremy > On Jan 13, 2017, at 2:25 AM, Matt Killock <lists@xxxxxxxxxxx> wrote: > > On 2017-01-13 10:25, Matt Killock wrote: >> On 2017-01-13 09:14, Jeremy Hansen wrote: >>> What do I have to >>> do with iptables so I can access these things from within the LAN >>> without having to do something like fake dns so it uses internal IPs >>> to access these hosts and ports? >> You'd need to do some careful NAT'ing. >> First you'd need to direct traffic arriving on the internal interface >> from the LAN hosts to each of those IP address, and DNAT to the >> relevant internal host IP. Something like >> iptables -t nat -A PREROUTING -i $LANIF -s $LANSUBNET -d >> 111.114.34.128 -p tcp --dport 80 -j DNAT --to $LANSERVER >> You need to narrow down the interface/destination host/port as much as >> possible to stop this interfering with any general NAT rules you have >> got. Next you'd need to SNAT the traffic that you've just DNAT'd so >> that it appears to come from the firewall host >> iptables -t nat -A POSTROUTING -o $LANIF -s $LANSUBNET -d $LANSERVER >> -p tcp --dport 80 -j SNAT --to $FWLANIP >> These rules would need to come before any general NAT rules. >> $LANIF = your internal LAN interface >> $LANSUBNET = internal subnet >> $LANSERVER = internal LAN IP of your server >> $FWLANIP = the LAN IP on your firwall >> Matt > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
