From: "Jörg Harmuth" <harmuth@mnemon.de>
To: netfilter@lists.netfilter.org
Subject: Re: Maybe a Newbie question about SNAT/DNAT
Date: Fri, 13 May 2005 12:17:01 +0200 [thread overview]
Message-ID: <42847E9D.4070107@mnemon.de> (raw)
In-Reply-To: <001701c5573b$bb21d210$0bc8a8c0@DES007>
Hi Melim,
melim schrieb:
>
> I have a valid IP in a interface eth2 and a internal net ip on eth0, I'm
> using some well documented rules to redirect port requisitions to another
> internal server.
>
> iptables -t nat -A PREROUTING -p tcp --dport 80 -d 200.180.X.X -j
> DNAT --to-destination 192.168.200.251
> iptables -t nat -A POSTROUTING -p tcp --sport 80 -s 192.168.200.251 -j
> SNAT --to-source 200.180.X.X
...
> On the webserver I have a default gateway defined to another router, but
> even removing it, won't work.
> Only works when I defined the default GW to my router machine, but I don't
> want to do this.
So you DNAT HTTP requests to 192.168.200.251 and you SNAT the reponses
to 200.180.X.X. Ok so far. Some tcpdump would be nice, but I think you
can solve this with the following rule:
iptables -t nat -I POSTROUTING -p tcp -o eth0 --dport 80 \
-j SNAT --to-source 192.168.200.254
This assumes that eth0 on your router is 192.168.200.254. I think this
happens:
Incoming request from e.g. 1.1.1.1. DNAT to 192.168.200.251. This packet
arrives at the web server:
dst: 192.168.200.251
src: 1.1.1.1 !!
As 1.1.1.1 is not known to the web server he sends it to his default
gateway, which is _not_ the router, so the packets vanish. tcpdump a bit
and probably you will see exactly this.
HTH and have a nice time,
Joerg
prev parent reply other threads:[~2005-05-13 10:17 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-12 21:44 Maybe a Newbie question about SNAT/DNAT melim
2005-05-13 10:17 ` Jörg Harmuth [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42847E9D.4070107@mnemon.de \
--to=harmuth@mnemon.de \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.