Hi!
I'm trying to set up a firewall/router system between external and internal network. Let's say this system has a static ip-address of 123.123.123.123, and I have a web server on the internal network with a static ip-address of 10.0.1.1. If I wanted to route incoming web requests to this web server, I could do:
Code:
~ iptables -t nat -A PREROUTING -d 123.123.123.123 -dport http -j DNAT --to-destination 10.0.1.1
But let's say I wanted my firewall/router system to use dynamic ip. How would I then route to my internal web server? For other outgoing traffic from the internal network, I set the rule:
Code:
~ iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j MASQUERADE
If I understand it correctly, both incoming traffic from the external network, and outgoing traffic from the internal network, go through prerouting(?). If so, I would have to make sure that prerouting doesn't route all web traffic from the internal network to the internal web server (like if I removed -d option in above example). I could make sure that the destination ip is that of the firewall/router system, or that the source ip is an external ip. It seems like there should be a simple solution, like MASQUERADE for outgoing postrouting, but I can't find it.