Hey Guys I have the following setup:

eth0:1
ISP--- -DEBIAN-eth2--Switch--Internal Web Server
eth0:2

I have one ethernet cable from my ISP on which I have two Public IPs assigned A&B I have natted all the traffic coming to IP B directly to my Internal web server with IP C.
This scenario was applied succesfully.
However the other clients on the network and the webserver itself have to be able to access the webserver using IP B (i.e. the public IP) NOT the private IP C.
Naturally if the IP B is entered into a web browser it will take them to the Apache server on the debian router since this is the server hosting IP B.


This is the typical routing rule
iptables -t nat -A PREROUTING --dst $B -p tcp --dport 80 -j DNAT \
--to-destination $C

Now according to http://iptables-tutorial.frozentux.n...-tutorial.html

Adding This should work :

iptables -t nat -A POSTROUTING -p tcp --dst $B--dport 80 -j SNAT \
--to-source $C

But it did not work ...if the rule above is added without specifing a port. Pinging IP B "The public IP" from a local computer on the LAN..it will say reply from IP C "i.e. from the local webserver". However if the IP B is entered into a web browser it will just stay loading forever.

Thanks for any suggestions or clarifications

From my understanding you need another dnat rule. Check this post out.
http://www.linuxquestions.org/questi...highlight=dnat

Brian

Thanks for the hint brian1 I did try that as my link already shows..adding to that..that tutorial about IPTABLES is the best I have ever read. I will try it again..and post results.

P.S. Iam using a masquerade SNAT rule in my script..could this be causing the problem...I cannot test this since Iam logging in remotely and disabling this would prevent me from accessing the servers.

is youre web server accessible from the internet vi ip B?

is your web server and the other other clients on the network are on the same subnet?
because if that's the case then this happens: client trying to get to ip B send's packet to router, router redirects packet to ip C, now webserver see's that source address is on the same subnet and send's packet directly to host on the network with his ip address (C) as source address. But host on the network is expecting ip B as source address as he initiated the connection to ip B.

Good thinking zsoltrenyi...this is exactly the case but how can I solve this dilemna

You have to force ip C to go through the router to access the other computers on the network

One way would be to change the subnet mask of your web server ip C to be in a different subnet of the rest of your network but in the same subnet of the routers IP
example subnetmask of 255.255.255.252 means a subnet of 2 usable IP adresses 192.168.61.1 and 192.168.1.2 so if your router is 192.168.1.1 and web server 192.168.1.2 then anything else beyond 192.168.1.4 goes through the router. Router can keep subnet mask 255.255.255.0 .
Other way would be to change completely the IP class of the web server and configure an alias for your internal interface on your router with an ip of the same IP class
And third I'm not sure but you can try to remove the route towards your network from webserver C and replace it with a route to router's ip adrress on interface eth.....

maybe (I.m not sure but you can try) you can SNAT traffic from network with dest address ip B and dport 80 to address B then for webserver would appear that the connection is coming from ip B and the response will go to ip B
So instead of iptables -t nat -A POSTROUTING -p tcp --dst $B--dport 80 -j SNAT \
--to-source $C (which doesn't make much sense) try:
iptables -t nat -A POSTROUTING -p tcp -s $own_network --dst $B--dport 80 -j SNAT \
--to-source $B