Hi I have a question regarding SNAT and narc

Basically, our webserver resides at 192.168.1.x on the LAN. To the outside world it is at xxx.xxx.xxx.xxx(this is actually our firewall that forwards traffic through to the webserver on the LAN at 192.168.1.x)
So, users outside the LAN just point their browsers at xxx.xxx.xxx.xxx.

In order to allow this we have a rule like:

iptables -t nat -p tcp -d xxx.xxx.xxx.xxx --dport 80 -j DNAT --to-destination 192.168.1.x

Pointing the browser to xxx.xxx.xxx won't work for users on the LAN. For these people, i believe that I need something like:

iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d xxx.xxx.xxx.xxx --dport 80 -j SNAT --to-source 192.168.1.Y
(192.168.1.Y is the internal LAN address of the firewall)

I have put this last rule in the narc-custom file but it doesn't seem to work.
Any ideas?

Thanks in advance

Hi ,
Try these commands.
If you are using your Firewall box as your gateway:

iptables -t nat -A PREROUTING -p tcp --dport 80 -d (real ip) -j DNAT --to-destination (web server ip)

iptables -t nat -A POSTROUTING -p tcp -d (web server ip) -j SNAT --to-source (local LAN ip)(internal ip of your firewall box )

And if you are using your firewall box as a proxy then you hv to add one more command.

iptables -t nat -A OUTPUT -p tcp -d (real ip) -j DNAT --to-destination (webserver ip).

mmm, unfortunately it doesn't seem to work.
i've tried

iptables -t nat -A POSTROUTING -p tcp -d (lan webserver ip) --dport 80 -j SNAT --to-source (lan firewall ip)

any help greatly appreciated!
cheers