Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
For my lan I am using range 192.168.0.
For internet I have 2 ip addresses.
The primary WAN ip 1.1.1.1, is used for my main server (mailserver, webserver, proxy etc). This server takes care of the routing as well... It's ip on the LAN is 192.168.0.1
Now I have a secondary server on LAN ip 192.168.0.2, which i route to WAN ip 1.1.1.2.
iptables rules used:
-A PREROUTING -d 1.1.1.2 -j DNAT --to-destination 192.168.0.2
-A POSTROUTING -s 192.168.0.2 -j SNAT --to-source 1.1.1.2
It is reachable on WAN ip 1.1.1.2 and when connecting to a WAN address is is also seen as 1.1.1.2. All working fine.
The problem is that when i try to connect to 1.1.1.2 from the LAN, i can not reach it. It is reachable on 192.168.0.2, but I want it reachable on the WAN address as well.
Shouldn't you be reaching your own servers (on 192.168.0.0/24) from the lan using their local IP addresses.
If the internet servers where in a DMZ, which you probably should do, you would use your gateway firewall as the default gateway and reach them as you would any internet address.
Shouldn't you be reaching your own servers (on 192.168.0.0/24) from the lan using their local IP addresses.
If the internet servers where in a DMZ, which you probably should do, you would use your gateway firewall as the default gateway and reach them as you would any internet address.
The first server is directly connected to the ISP over optic fiber and is the gateway for the second server: we have 5 WAN IP addresses, which have to be routed by the first server.
The routing goes fine when accessed from WAN, and accessing WAN, but for some reason not when accessed from the LAN
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
You shouldn't be routing packets from your internal network out over the external interface on your firewall and then back in again. Just setup your DNS with split views so that internal clients are answered with the internal IP address, and all other clients (external) will get the external IP address. You could also do this with hosts files as well.
You shouldn't be routing packets from your internal network out over the external interface on your firewall and then back in again. Just setup your DNS with split views so that internal clients are answered with the internal IP address, and all other clients (external) will get the external IP address. You could also do this with hosts files as well.
Hmm guess setting up a seperate DNS view is a solution since it will omit the IP address...
The only problem is that the internet domain is hosted at the ISP, and I would have to add all subdomains existing (and created in the future) to my local view... It is not possible to add a single record as in the hosts file, is it?
I had this same issue and learned how to get past it.
I can only tell you the Shorewall way of doing it and you'll have to translate it to raw IPTables:
Add new FW rules to go from LAN to WAN - inside to out basically. I.e.
DNAT LAN WAN:192.168.1.23 tcp 80,443 - 1.1.1.2
You then need to add a rule in your SNAT or MASQ table (not sure) to NAT it back into your LAN to the right IP:
eth0:192.168.1.23 eth0 192.168.1.1 tcp 80,443
eth0 is my internal interface (LAN)
These rules are just doing ports 80 and 443 - if you need to do all ports on the IP then you'll have to remove those.
I hope this helps you out.
That's practically what I have done with the rules: -A PREROUTING -d 1.1.1.2 -j DNAT --to-destination 192.168.0.2
-A POSTROUTING -s 192.168.0.2 -j SNAT --to-source 1.1.1.2
That's practically what I have done with the rules: -A PREROUTING -d 1.1.1.2 -j DNAT --to-destination 192.168.0.2
-A POSTROUTING -s 192.168.0.2 -j SNAT --to-source 1.1.1.2
Or am I interpreting your solution incorrectly?
I don't know IPTables but from looking at this I think you are.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.