Hello!

I did a NAT (a PAT, actually) to redirect incoming connections on port 80 to my web server, in my lan.

$IPT -A PREROUTING -t nat -p tcp -d X.X.X.X --dport 80 -j DNAT --to Y.Y.Y.Y:80
$IPT -A POSTROUTING -t nat -p tcp -s Y.Y.Y.Y --sport 80 -j SNAT --to X.X.X.X:80
$IPT -A OUTPUT -t nat -p tcp -d X.X.X.X --dport 80 -j DNAT --to Y.Y.Y.Y:80
$IPT -A MYCHAIN -p tcp -d Y.Y.Y.Y --dport 80 -j ACCEPT

MYCHAIN is valid for INPUT e FORWARD CHAINS.

If i connect from outside my lan, as, any place in internet. it works perfectly.
But, when I connect from my lan (same class of Y.Y.Y.Y, like Y.Y.Y.10 for example) it doesn't work.

I realize that if I do a real NAT (without specify a port), this problem doesn't happen.

This works in both way (inside lan and outside lan):

$IPT -A PREROUTING -t nat -d X.X.X.X -j DNAT --to Y.Y.Y.Y
$IPT -A POSTROUTING -t nat -s Y.Y.Y.Y -j SNAT --to X.X.X.X
$IPT -A OUTPUT -t nat -d X.X.X.X -j DNAT --to Y.Y.Y.Y
$IPT -A MINHACHAIN -p tcp -d Y.Y.Y.Y --dport 80 -j ACCEPT

But I can use that way because I have others services to redirect.

Someone has a tip or know how I can bypass this problem?

thanks

]'s

Mário Cardia

You have a basic routing split..
Packets going to your webserver (using an external ip address) will be routed to that internet interface, NAT will redirect them to the webserver (still with their origin lan ip address) and the webserver will reply to the originating ip address (inside the lan) by going directly, not through the firewall. Your originating pc will reject the packets because they came from an internal address, not the external ip address they were sent to..

Solutions:
-- Make the lan pcs access the webserver using the internal ip address. Best done with changes to dns. When they resolve any urls on the server they are given the local ip address rather than the internet address.
-- Do the above & put the web server on a third NIC with a different ip net. If the web server is ever compromised, your local lan is not.