Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 07-14-2006, 12:41 PM   #1
LQ Newbie
Registered: Jul 2006
Posts: 3

Rep: Reputation: 0
iptables PAT/NAT


I did a NAT (a PAT, actually) to redirect incoming connections on port 80 to my web server, in my lan.

$IPT -A PREROUTING -t nat -p tcp -d X.X.X.X --dport 80 -j DNAT --to Y.Y.Y.Y:80
$IPT -A POSTROUTING -t nat -p tcp -s Y.Y.Y.Y --sport 80 -j SNAT --to X.X.X.X:80
$IPT -A OUTPUT -t nat -p tcp -d X.X.X.X --dport 80 -j DNAT --to Y.Y.Y.Y:80
$IPT -A MYCHAIN -p tcp -d Y.Y.Y.Y --dport 80 -j ACCEPT


If i connect from outside my lan, as, any place in internet. it works perfectly.
But, when I connect from my lan (same class of Y.Y.Y.Y, like Y.Y.Y.10 for example) it doesn't work.

I realize that if I do a real NAT (without specify a port), this problem doesn't happen.

This works in both way (inside lan and outside lan):

$IPT -A PREROUTING -t nat -d X.X.X.X -j DNAT --to Y.Y.Y.Y
$IPT -A POSTROUTING -t nat -s Y.Y.Y.Y -j SNAT --to X.X.X.X
$IPT -A OUTPUT -t nat -d X.X.X.X -j DNAT --to Y.Y.Y.Y
$IPT -A MINHACHAIN -p tcp -d Y.Y.Y.Y --dport 80 -j ACCEPT

But I can use that way because I have others services to redirect.

Someone has a tip or know how I can bypass this problem?



Mário Cardia
Old 07-14-2006, 01:07 PM   #2
Senior Member
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
You have a basic routing split..
Packets going to your webserver (using an external ip address) will be routed to that internet interface, NAT will redirect them to the webserver (still with their origin lan ip address) and the webserver will reply to the originating ip address (inside the lan) by going directly, not through the firewall. Your originating pc will reject the packets because they came from an internal address, not the external ip address they were sent to..

-- Make the lan pcs access the webserver using the internal ip address. Best done with changes to dns. When they resolve any urls on the server they are given the local ip address rather than the internet address.
-- Do the above & put the web server on a third NIC with a different ip net. If the web server is ever compromised, your local lan is not.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTables 1:1 NAT Garak Linux - Security 13 12-19-2011 05:03 PM
iptables nat kernelvn Linux - Networking 5 05-03-2005 11:39 AM
IPTABLES : build NAT using IPTABLES joseph Linux - Networking 4 04-23-2004 05:08 AM
iptables and NAT arrruken Linux - Networking 8 10-03-2003 04:17 AM
IPtables +NAT daromer Linux - Networking 1 01-07-2002 11:15 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:55 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration