LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-14-2006, 01:41 PM   #1
mcardia
LQ Newbie
 
Registered: Jul 2006
Posts: 3

Rep: Reputation: 0
iptables PAT/NAT


Hello!

I did a NAT (a PAT, actually) to redirect incoming connections on port 80 to my web server, in my lan.

$IPT -A PREROUTING -t nat -p tcp -d X.X.X.X --dport 80 -j DNAT --to Y.Y.Y.Y:80
$IPT -A POSTROUTING -t nat -p tcp -s Y.Y.Y.Y --sport 80 -j SNAT --to X.X.X.X:80
$IPT -A OUTPUT -t nat -p tcp -d X.X.X.X --dport 80 -j DNAT --to Y.Y.Y.Y:80
$IPT -A MYCHAIN -p tcp -d Y.Y.Y.Y --dport 80 -j ACCEPT

MYCHAIN is valid for INPUT e FORWARD CHAINS.

If i connect from outside my lan, as, any place in internet. it works perfectly.
But, when I connect from my lan (same class of Y.Y.Y.Y, like Y.Y.Y.10 for example) it doesn't work.

I realize that if I do a real NAT (without specify a port), this problem doesn't happen.

This works in both way (inside lan and outside lan):

$IPT -A PREROUTING -t nat -d X.X.X.X -j DNAT --to Y.Y.Y.Y
$IPT -A POSTROUTING -t nat -s Y.Y.Y.Y -j SNAT --to X.X.X.X
$IPT -A OUTPUT -t nat -d X.X.X.X -j DNAT --to Y.Y.Y.Y
$IPT -A MINHACHAIN -p tcp -d Y.Y.Y.Y --dport 80 -j ACCEPT

But I can use that way because I have others services to redirect.

Someone has a tip or know how I can bypass this problem?

thanks

]'s

Mário Cardia
 
Old 07-14-2006, 02:07 PM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
You have a basic routing split..
Packets going to your webserver (using an external ip address) will be routed to that internet interface, NAT will redirect them to the webserver (still with their origin lan ip address) and the webserver will reply to the originating ip address (inside the lan) by going directly, not through the firewall. Your originating pc will reject the packets because they came from an internal address, not the external ip address they were sent to..

Solutions:
-- Make the lan pcs access the webserver using the internal ip address. Best done with changes to dns. When they resolve any urls on the server they are given the local ip address rather than the internet address.
-- Do the above & put the web server on a third NIC with a different ip net. If the web server is ever compromised, your local lan is not.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTables 1:1 NAT Garak Linux - Security 13 12-19-2011 06:03 PM
iptables nat kernelvn Linux - Networking 5 05-03-2005 12:39 PM
IPTABLES : build NAT using IPTABLES joseph Linux - Networking 4 04-23-2004 06:08 AM
iptables and NAT arrruken Linux - Networking 8 10-03-2003 05:17 AM
IPtables +NAT daromer Linux - Networking 1 01-07-2002 12:15 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:29 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration