Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-14-2006, 01:41 PM
|
#1
|
LQ Newbie
Registered: Jul 2006
Posts: 3
Rep:
|
iptables PAT/NAT
Hello!
I did a NAT (a PAT, actually) to redirect incoming connections on port 80 to my web server, in my lan.
$IPT -A PREROUTING -t nat -p tcp -d X.X.X.X --dport 80 -j DNAT --to Y.Y.Y.Y:80
$IPT -A POSTROUTING -t nat -p tcp -s Y.Y.Y.Y --sport 80 -j SNAT --to X.X.X.X:80
$IPT -A OUTPUT -t nat -p tcp -d X.X.X.X --dport 80 -j DNAT --to Y.Y.Y.Y:80
$IPT -A MYCHAIN -p tcp -d Y.Y.Y.Y --dport 80 -j ACCEPT
MYCHAIN is valid for INPUT e FORWARD CHAINS.
If i connect from outside my lan, as, any place in internet. it works perfectly.
But, when I connect from my lan (same class of Y.Y.Y.Y, like Y.Y.Y.10 for example) it doesn't work.
I realize that if I do a real NAT (without specify a port), this problem doesn't happen.
This works in both way (inside lan and outside lan):
$IPT -A PREROUTING -t nat -d X.X.X.X -j DNAT --to Y.Y.Y.Y
$IPT -A POSTROUTING -t nat -s Y.Y.Y.Y -j SNAT --to X.X.X.X
$IPT -A OUTPUT -t nat -d X.X.X.X -j DNAT --to Y.Y.Y.Y
$IPT -A MINHACHAIN -p tcp -d Y.Y.Y.Y --dport 80 -j ACCEPT
But I can use that way because I have others services to redirect.
Someone has a tip or know how I can bypass this problem?
thanks
]'s
Mário Cardia
|
|
|
07-14-2006, 02:07 PM
|
#2
|
Senior Member
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458
Rep:
|
You have a basic routing split..
Packets going to your webserver (using an external ip address) will be routed to that internet interface, NAT will redirect them to the webserver (still with their origin lan ip address) and the webserver will reply to the originating ip address (inside the lan) by going directly, not through the firewall. Your originating pc will reject the packets because they came from an internal address, not the external ip address they were sent to..
Solutions:
-- Make the lan pcs access the webserver using the internal ip address. Best done with changes to dns. When they resolve any urls on the server they are given the local ip address rather than the internet address.
-- Do the above & put the web server on a third NIC with a different ip net. If the web server is ever compromised, your local lan is not.
|
|
|
All times are GMT -5. The time now is 05:29 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|