From: Romain Moyne <aero_climb@yahoo.fr>
To: Cedric Blancher <blancher@cartel-securite.fr>
Cc: netfilter@lists.netfilter.org
Subject: Re: port translation
Date: Sun, 11 Jan 2004 14:45:37 +0100 [thread overview]
Message-ID: <40015381.1090803@yahoo.fr> (raw)
In-Reply-To: <1073827964.769.16.camel@elendil.intranet.cartel-securite.net>
Cedric Blancher a écrit :
>Le dim 11/01/2004 à 13:53, Romain Moyne a écrit :
>
>
>>Ok. I begin to understand... Now I have corrected my rules :
>>iptables -t nat -A POSTROUTING -j SNAT -o ppp0 --to-source My_ip_on_internet
>>
>>
>
>OK, fine. Now it should work ;)
>
>
>
>>But now I have a new problem : My router, my http server and my
>>workstation are connected with a hub.
>>
>>
>[Snip ASCII art]
>
>
>>I can't access to my webserver with my workstation and it very painful....
>>Can you still help me ? :-D
>>
>>
>
>To complete Antony's answer, trying to reach your webserver from your
>LAN with its public IP is a common issue that constitue a FAQ.
>
>We will describe what happens when your workstation (WS) tries to
>connect to your Webserver (WB) via your router (R) public IP (PPP0).
>
> WS sends a SYN to R, port 80
> SYN : WS -> PPP0
>
> R receive the SYN and DNAT it to WB, port 80
> SYN : WS -> WB
>
> WB receive the SYN and answers.
> SYN,ACK : WB -> WS
>
>But, as WB and WS are on the same network, WB answers directly to WS,
>without using R as gateway. So, WS receive a SYN,ACK from WB, but was
>waiting for a SYN,ACK from PPP0. That's why the connection fails.
>
>To address this issue, you have to SNAT this kind of connection on the
>router so WB answers through R :
>
> iptables -t nat -A POSTROUTING -s $LAN -d $WB -j SNAT --to $ETH0
>
>
What must I write instead of $LAN and $ETH0 ?
>I completly agree Antony's advice on DMZ use. From security point of
>vue, redirecting a service within LAN is a major architectural flaw.
>
>
>
next prev parent reply other threads:[~2004-01-11 13:45 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-01-11 10:21 port translation Romain Moyne
2004-01-11 10:46 ` [despammed] " Andreas Kretschmer
2004-01-11 11:03 ` Romain Moyne
2004-01-11 11:28 ` Andreas Kretschmer
2004-01-11 11:37 ` Antony Stone
2004-01-11 12:43 ` Cedric Blancher
2004-01-11 12:53 ` Romain Moyne
2004-01-11 13:03 ` Antony Stone
2004-01-11 13:32 ` Cedric Blancher
2004-01-11 13:45 ` Romain Moyne [this message]
2004-01-11 13:55 ` Antony Stone
2004-01-11 14:03 ` Romain Moyne
2004-01-16 22:32 ` Bill Davidsen
-- strict thread matches above, loose matches on Subject: below --
2005-01-05 8:23 Richard
2005-01-05 13:23 ` John A. Sullivan III
2005-01-06 13:34 ` Eric Ellis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40015381.1090803@yahoo.fr \
--to=aero_climb@yahoo.fr \
--cc=blancher@cartel-securite.fr \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.