LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 07-14-2006, 12:41 PM   #1
mcardia
LQ Newbie
 
Registered: Jul 2006
Posts: 3

Rep: Reputation: 0
iptables PAT/NAT


Hello!

I did a NAT (a PAT, actually) to redirect incoming connections on port 80 to my web server, in my lan.

$IPT -A PREROUTING -t nat -p tcp -d X.X.X.X --dport 80 -j DNAT --to Y.Y.Y.Y:80
$IPT -A POSTROUTING -t nat -p tcp -s Y.Y.Y.Y --sport 80 -j SNAT --to X.X.X.X:80
$IPT -A OUTPUT -t nat -p tcp -d X.X.X.X --dport 80 -j DNAT --to Y.Y.Y.Y:80
$IPT -A MYCHAIN -p tcp -d Y.Y.Y.Y --dport 80 -j ACCEPT

MYCHAIN is valid for INPUT e FORWARD CHAINS.

If i connect from outside my lan, as, any place in internet. it works perfectly.
But, when I connect from my lan (same class of Y.Y.Y.Y, like Y.Y.Y.10 for example) it doesn't work.

I realize that if I do a real NAT (without specify a port), this problem doesn't happen.

This works in both way (inside lan and outside lan):

$IPT -A PREROUTING -t nat -d X.X.X.X -j DNAT --to Y.Y.Y.Y
$IPT -A POSTROUTING -t nat -s Y.Y.Y.Y -j SNAT --to X.X.X.X
$IPT -A OUTPUT -t nat -d X.X.X.X -j DNAT --to Y.Y.Y.Y
$IPT -A MINHACHAIN -p tcp -d Y.Y.Y.Y --dport 80 -j ACCEPT

But I can use that way because I have others services to redirect.

Someone has a tip or know how I can bypass this problem?

thanks

]'s

Mário Cardia
 
Old 07-14-2006, 01:07 PM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
You have a basic routing split..
Packets going to your webserver (using an external ip address) will be routed to that internet interface, NAT will redirect them to the webserver (still with their origin lan ip address) and the webserver will reply to the originating ip address (inside the lan) by going directly, not through the firewall. Your originating pc will reject the packets because they came from an internal address, not the external ip address they were sent to..

Solutions:
-- Make the lan pcs access the webserver using the internal ip address. Best done with changes to dns. When they resolve any urls on the server they are given the local ip address rather than the internet address.
-- Do the above & put the web server on a third NIC with a different ip net. If the web server is ever compromised, your local lan is not.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTables 1:1 NAT Garak Linux - Security 13 12-19-2011 05:03 PM
iptables nat kernelvn Linux - Networking 5 05-03-2005 11:39 AM
IPTABLES : build NAT using IPTABLES joseph Linux - Networking 4 04-23-2004 05:08 AM
iptables and NAT arrruken Linux - Networking 8 10-03-2003 04:17 AM
IPtables +NAT daromer Linux - Networking 1 01-07-2002 11:15 AM


All times are GMT -5. The time now is 04:27 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration