From: Jonathan Wheeler <griffous@griffous.net>
To: netfilter@lists.netfilter.org
Subject: Combined Internal/External DNAT question
Date: Sat, 14 May 2005 17:51:47 +1200 [thread overview]
Message-ID: <428591F3.8090400@griffous.net> (raw)
Hi Guys,
I have a number of internal servers sitting behind my iptables firewall
running various services (smtp/http/dns etc).
My public IP address sits on my DSL router's WAN interface, which nats
the specified ports for my public services to the firewall's interface &
IP which is attached to the router via crossover cable.
Iptables has about 15 entries all along the lines of
iptables -t nat -A PREROUTING -d 10.0.0.1 -i eth1 -p tcp --dport
<tcpservice> -j DNAT --to <relevant.internal. server>:<tcpservice>
And this works nicely.
However I have the classic situation of internal clients using the DNS
entries for these servers which points them to my external IP. The
firewall forwards the traffic out the dsl interface to the internet as
it has no knowledge of my public IP. It doesn't work, the DSL router
can't NAT to and from the LAN interface.
The following documentation is close to what I want, but doesn't quite work.
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html
The reason it doesn't work is that my firewall doesn't actually have the
external IP.
What I need is rule along the lines of:
iptables -t nat -I PREROUTING -d <publicIP> -s <internal-lan> -j DNAT
--to 10.0.0.1.
I would then have traffic from the internal lan, going the same
destination IP that my public natting rules are already built for. Which
should then redirect internal clients to my internal servers using these
same natting rules.
It appears however that once iptables had done it's initial DNAT of a
session as per the rule above, it doesn't reevalute the PREROUTING chain.
Which means that clients try to connect to the firewall itself rather
then being DNATed again.
HELP, I need some kind of a double DNAT?
I know there are solutions to this problem like dual dns, but getting
this would be MUCH quicker to setup/manage/scale, and I wouldn't have to
play DNS games.
I could also create a whole second set of rules DNATing internal traffic
destined for my public IP, to go to the correct server, but then I'd
have 2 chains of traffic to maintain. Is there no way I can do this all
with one set of rules, on the one firewall?
Thanks,
Jonathan.
next reply other threads:[~2005-05-14 5:51 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-14 5:51 Jonathan Wheeler [this message]
2005-05-15 23:56 ` Combined Internal/External DNAT question Taylor, Grant
-- strict thread matches above, loose matches on Subject: below --
2005-05-15 16:35 Gary W. Smith
2005-05-15 16:54 Gary W. Smith
[not found] <42889941.5060507@griffous.net>
2005-05-16 18:35 ` Taylor, Grant
2005-05-16 19:27 ` R. DuFresne
2005-05-16 19:50 ` R. DuFresne
2005-05-16 21:06 ` Taylor, Grant
2005-05-19 10:53 Jonathan Wheeler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=428591F3.8090400@griffous.net \
--to=griffous@griffous.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.