From mboxrd@z Thu Jan 1 00:00:00 1970 From: Philip Craig Subject: Re: DNAT question.. Date: Thu, 24 Jul 2003 18:29:52 +1000 Sender: netfilter-admin@lists.netfilter.org Message-ID: <3F1F9900.4080401@snapgear.com> References: <200307241400.51653.rio@martin.mu> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <200307241400.51653.rio@martin.mu> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: "Rio Martin." Cc: netfilter@lists.netfilter.org Rio Martin. wrote: > Dear all, > I describe first about my network: > > INTERNET --- eth0 [ NAT+Firewall Linux ] eth1 --- LAN > > eth0 would be my public ip = 211.1.1.10 > eth1 would be my private ip = 192.168.1.1 > > On NAT+Firewall Linux i applied this rule: > iptables -t nat -A PREROUTING -p tcp -d 211.1.1.10 --dport 80 -j DNAT --to > 192.168.1.2:80 > This is rule for redirecting to local webserver. > > I tried to test it from outside network (internet), surf to http://211.1.1.10 > and it succeed. > But from inside LAN network (192.168.1.3) i am unable to browse to > http://211.1.1.10 You need to SNAT internal connections so that replies go via the firewall instead of directly to the client, otherwise the firewall cannot reverse the DNAT and the client drops the reply packet. Try this rule: iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d 192.168.1.2 --dport 80 -j SNAT --to 192.168.1.1 -- Philip Craig - philipc@snapgear.com - http://www.SnapGear.com SnapGear - Custom Embedded Solutions and Security Appliances