Re: Destination NAT Onto the Same Network Problem

[Ray Leach <raymondl@knowledgefactory.co.za>]

Hi

For my internal lan trying to browse me web servers in the dmz this is
what I do:

$IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp --dport 80 -d
$IP_INET_WEB1 -j DNAT --to $IP_INT_WEB1

$IPTABLES=/sbin/iptables
$IFACE_INT=eth1
$IP_INET_WEB1=196.4.160.12	# internet address of web server
$IP_INT_WEB1=192.168.1.12	# internal ip of the web server

One other thing, you must put this rule before redirecting web traffic
to a transparent proxy.

Ray


On Wed, 2002-07-10 at 16:51, Mark Ayad wrote:
> Nice try but no luck
> 
> $IPTABLES -t nat -A POSTROUTING -o $INTIF -i $INTIF -j
> 
> can't use -i in POSTROUTING
> 
> So I tried
> 
> $IPTABLES -t nat -A POSTROUTING -o $INTIF 192.168.0.0/24 -j MASQUERADE
> 
> No luck there although this time the rule is correct.
> 
> So I tried
> 
> $IPTABLES -t nat -A POSTROUTING -o $INTIF 192.168.0.3 -j MASQUERADE
> 
> ...but no success.
> 
> I know this is a silly problem, since I could used the internal IP of the
> web server, but I want to crack this to be sure the server can be reached
> via the external address. At the moment I confirm this using a web
> anonymiser.
> 
> Mark
> 
> 
> 
> ----- Original Message -----
> From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
> To: <netfilter@lists.samba.org>
> Sent: Wednesday, July 10, 2002 4:22 PM
> Subject: Re: Destination NAT Onto the Same Network Problem
> 
> 
> > On Wednesday 10 July 2002 2:54 pm, Mark Ayad wrote:
> >
> > > I have a problem with the following Firewall Script which works fine
> apart
> > > from when I try to INTERNALLY connect to the webserver 192.168.0.3:80
> > > using the public IP which if I'm right should be the same as $EXTIF. The
> > > internal machine I'm launching the request from is actually the
> webserver
> > > (but that shouldn't matter).
> > >
> > > I know I'm missing a line from what I read in
> > >
> http://netfilter.samba.org/unreliable-guides/NAT-HOWTO/NAT-HOWTO.linuxdoc-1
> > >0 .html and I've tried nearly every combination I can think of except the
> > > one that works that is.
> > >
> > > So whats the missing line ?
> > >
> > > $IPTABLES -A INPUT -p tcp --syn --destination-port 80 -j ACCEPT
> > > $IPTABLES -A INPUT -p tcp --syn -j DROP
> > >
> > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
> > > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> > > $IPTABLES -A FORWARD -j LOG
> > >
> > > $IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j
> > > DNAT --to-destination 192.168.0.3:80
> > >
> > > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> >
> > This one looks a bit odd to me, even though I've written it myself, but I
> > think it should do the trick:
> >
> > $IPTABLES -t nat -A POSTROUTING -o $INTIF -i $INTIF -j MASQUERADE
> >
> > If it doesn't, then just use the standard version:
> >
> > $IPTABLES -t nat -A POSTROUTING -o $INTIF -s a.b.c.d/n -j MASQUERADE
> >
> > where a.b.c.d/n is your internal network range.
> >
> >
> >
> > Antony.
> >
> >
> 
>