port and adress forward

All of lore.kernel.org
 help / color / mirror / Atom feed

* port and adress forward
@ 2005-05-09 14:36 Roberto Dud (listas)
  2005-05-09 17:56 ` Rob Sterenborg
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Roberto Dud (listas) @ 2005-05-09 14:36 UTC (permalink / raw)
  To: netfilter

Hi All,

I have a web and mail server in my local lan with ip 192.168.0.x and I 
have a firewall / gateway with valid address.  I have a policy a to 
redirect port 80 to my internal server. But I try to access my website 
inside my internal lan and doesn't access.

My chain is below:

  iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT 
--to-dest 192.168.0.X
  iptables -A FORWARD -p tcp -i eth0 --dport 80 -d 192.168.0.X -j ACCEPT

Anyone help me?

thanks,

Dud.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: port and adress forward
  2005-05-09 14:36 port and adress forward Roberto Dud (listas)
@ 2005-05-09 17:56 ` Rob Sterenborg
  2005-05-09 18:19 ` Jason Opperisano
  2005-05-09 18:28 ` Taylor, Grant
  2 siblings, 0 replies; 5+ messages in thread
From: Rob Sterenborg @ 2005-05-09 17:56 UTC (permalink / raw)
  To: netfilter

> I have a web and mail server in my local lan with ip
> 192.168.0.x and I have a firewall / gateway with valid
> address.  I have a policy a to redirect port 80 to my
> internal server. But I try to access my website inside my
> internal lan and doesn't access.
> 
> My chain is below:
> 
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \
>    -j DNAT --to-dest 192.168.0.X
> iptables -A FORWARD -p tcp -i eth0 --dport 80 \
>   -d 192.168.0.X -j ACCEPT

I suppose your forward policy is DROP. Do you have a :
$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
in your ruleset ?


Gr,
Rob



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: port and adress forward
  2005-05-09 14:36 port and adress forward Roberto Dud (listas)
  2005-05-09 17:56 ` Rob Sterenborg
@ 2005-05-09 18:19 ` Jason Opperisano
  2005-05-09 18:28 ` Taylor, Grant
  2 siblings, 0 replies; 5+ messages in thread
From: Jason Opperisano @ 2005-05-09 18:19 UTC (permalink / raw)
  To: netfilter

On Mon, May 09, 2005 at 02:36:04PM +0000, Roberto Dud (listas) wrote:
> Hi All,
> 
> I have a web and mail server in my local lan with ip 192.168.0.x and I 
> have a firewall / gateway with valid address.  I have a policy a to 
> redirect port 80 to my internal server. But I try to access my website 
> inside my internal lan and doesn't access.
> 
> My chain is below:
> 
>  iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT 
> --to-dest 192.168.0.X
>  iptables -A FORWARD -p tcp -i eth0 --dport 80 -d 192.168.0.X -j ACCEPT
> 
> Anyone help me?

1) connect to the web server using its 192.168.0.X address--no firewall
involved.

2) setup split dns so that www.mysite.com resolves to 192.168.0.X
internally and the external IP of the firewall externally.

3) wait for someone else to post the stupid DNAT/SNAT solution.

-j

--
"Stewie: Mother, as first lady of the American stage Helen Hayes once
 said, "I'm going to kill you.""
        --Family Guy


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: port and adress forward
  2005-05-09 14:36 port and adress forward Roberto Dud (listas)
  2005-05-09 17:56 ` Rob Sterenborg
  2005-05-09 18:19 ` Jason Opperisano
@ 2005-05-09 18:28 ` Taylor, Grant
  2005-05-09 16:55   ` Roberto Dud (listas)
  2 siblings, 1 reply; 5+ messages in thread
From: Taylor, Grant @ 2005-05-09 18:28 UTC (permalink / raw)
  To: netfilter

> I have a web and mail server in my local lan with ip 192.168.0.x and I 
> have a firewall / gateway with valid address.  I have a policy a to 
> redirect port 80 to my internal server. But I try to access my website 
> inside my internal lan and doesn't access.
> 
> My chain is below:
> 
>  iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT 
> --to-dest 192.168.0.X
>  iptables -A FORWARD -p tcp -i eth0 --dport 80 -d 192.168.0.X -j ACCEPT

Add a rule to your nat table like this:

iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.0/24 -d $External_IP_Address_of_your_firewall -p tcp --dport 80 -j DNAT --to-destination 192.168.0.x
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -d 192.168.0.x -p tcp --dport 80 -j SNAT --to-source $Internal_IP_Address_of_your_firewall
iptables -A FORWARD -p tcp -i eth1 -o eth1 -d 192.168.0.x --dport 80 -j ACCEPT

This will DNAT any traffic coming from your LAN that is directed at the external IP of your firewall for your web server to go directly to the web server in house.  The likely reason that things are not working for you now is that the external IP of your firewall / router is directly accessible from the firewall / router its self and thus the traffic will not (logically) go out the internet connection and back in and pass through your other DNAT / related rules.



Grant. . . .


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: port and adress forward
  2005-05-09 18:28 ` Taylor, Grant
@ 2005-05-09 16:55   ` Roberto Dud (listas)
  0 siblings, 0 replies; 5+ messages in thread
From: Roberto Dud (listas) @ 2005-05-09 16:55 UTC (permalink / raw)
  To: Taylor, Grant; +Cc: netfilter

Taylor, Grant wrote:

>> I have a web and mail server in my local lan with ip 192.168.0.x and 
>> I have a firewall / gateway with valid address.  I have a policy a to 
>> redirect port 80 to my internal server. But I try to access my 
>> website inside my internal lan and doesn't access.
>>
>> My chain is below:
>>
>>  iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT 
>> --to-dest 192.168.0.X
>>  iptables -A FORWARD -p tcp -i eth0 --dport 80 -d 192.168.0.X -j ACCEPT
>
>
> Add a rule to your nat table like this:
>
> iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.0/24 -d 
> $External_IP_Address_of_your_firewall -p tcp --dport 80 -j DNAT 
> --to-destination 192.168.0.x
> iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -d 
> 192.168.0.x -p tcp --dport 80 -j SNAT --to-source 
> $Internal_IP_Address_of_your_firewall
> iptables -A FORWARD -p tcp -i eth1 -o eth1 -d 192.168.0.x --dport 80 
> -j ACCEPT
>
> This will DNAT any traffic coming from your LAN that is directed at 
> the external IP of your firewall for your web server to go directly to 
> the web server in house.  The likely reason that things are not 
> working for you now is that the external IP of your firewall / router 
> is directly accessible from the firewall / router its self and thus 
> the traffic will not (logically) go out the internet connection and 
> back in and pass through your other DNAT / related rules.
>
>
>
> Grant. . . .
>
>
>
it works....

thanks a lot...

Dud.




^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2005-05-09 18:28 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-05-09 14:36 port and adress forward Roberto Dud (listas)
2005-05-09 17:56 ` Rob Sterenborg
2005-05-09 18:19 ` Jason Opperisano
2005-05-09 18:28 ` Taylor, Grant
2005-05-09 16:55   ` Roberto Dud (listas)

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.