How come I CAN view websites (port 80)???

ivj · 09-12-2005, 07:21 PM

I have an internal network behind a Linux router running iptables.

Now I have no problems, but today I was thinking... How come I can view websites if I have the following rule:

-A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.0.33:80

Which's a rule I set up a while ago so I can access my internal comp website from outside...

It works just fine, but how come I am able to open websites from the internal network?

Shouldn't every time I try to connect to a web server, shouldn't my request get thrown to my internal computer?

Thanks!

Vgui · 09-13-2005, 04:50 PM

It might be related to the ingoing / outgoing traffic (ie: the rule may only apply to one of them). That, or the device is incorrect. Or perhaps the rule isn't present on each system you are trying. Or there is another rule that takes precedence over the one you added (ie: allows port 80 traffif through). I'd suggest taking a very close look at your entire iptables setup.

aq_mishu · 09-16-2005, 08:09 AM

While using NAT and port forwarding, you can get pages using the FQDN (eg. www.domain.com) from out side of the network. But if you try to access it from your lan, then you cannot do it. In that case, you'll have to use the lan ip. Because NAT and portfwd cannot portforward like this way : -
Your LAN IP--->SNAT-->Your WAN IP--->DNAT(port fwd)--->Your LAN server
I do not know why... I'm also facing the same problem. And one solution you can use.... setting us a local dns server that will MAP the FQDN (www.domain.com) to LAN (private IP). {instead of usual any Public IP}.
And there are some devices that provide NAT and virtual server (port fwd). If no other way, u can use them... but they are not very good enough. (personally saying, I changed 2 devices for within 3 months... they cannot take much load.)

jtshaw · 09-16-2005, 08:36 AM

The people over in Linux - Networking might be able to better respond to this. I'm moving this there.

aq_mishu · 09-16-2005, 01:53 PM

Vgui,
You can set your iptables to NAT from real ip --> lan and also do not forget to forward the packets. Then you can try the packeg ipvsadm coming with the RH8 or later Releases. Try to search in google for the man page of ipvsadm and you'll get what you need, I hope. T'll also start to try with it.