Re: IP redirect?

[Grant Taylor <gtaylor@riverviewtech.net>]

On 10/20/08 04:34, Morgan Read wrote:
> To redirect lan traffic addressed to the wan IP (e.g.) 123.456.789.012 
> to the lan IP address 192.168.1.123, I'm using the following:
> $ iptables -t nat -I PREROUTING 1 -d 123.456.789.012 -j DNAT 
> --to-destination 192.168.1.123
> 
> But, all internal traffic seems to get lost - 18 months ago when I last 
> did this, traffic to 123.456.789.012 seemed to hit 192.168.1.123 and 
> come back without problem.

Please search the mailing list archives for the "TCP Triangle".  The 
most recent thread was "routing all HTTP requests to my own web server". 
  Also, take a look at one of Julian's images 
"http://jengelh.hopto.org/images/dnat-mistake.png" for more information.

> I've added the following, with some interesting results:
> $ iptables -t nat -I POSTROUTING 1 -s 192.168.1.40 -j SNAT --to-source 
> 58.28.20.69

*nod*

> Now, the traffic from the specific lan IP 192.168.1.123 does seem to be 
> redirected correctly and come back to itself.  But still, all other lan 
> traffic seems to get lost.

This is as I would expect.

> Any ideas what's happening, where I'm getting lost?

You are only SNATing traffic from (-s) 192.168.1.40.  Try SNATing all 
traffic from your local LAN that is being redirected to your system.

$ iptables -t nat -I POSTROUTING 1 -s 192.168.1.0/24 -d 192.168.1.123 -j 
SNAT --to-source 58.28.20.69

Note:  I'm not sure why you are using a source of 58.28.20.69.  I would 
think that you would want to use the source of your internal interface 
in the 192.168.1.0/24 network.



Grant. . . .