Confused about NAT and forwarding

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kirk <whereisgui@gmail.com>
To: netfilter@lists.netfilter.org
Subject: Confused about NAT and forwarding
Date: Tue, 22 Feb 2005 14:24:03 -0800	[thread overview]
Message-ID: <48be50bb050222142429a5be8f@mail.gmail.com> (raw)

Hello,

I'm a bit confused about how NAT and forwarding works. Here's  the situation:

I have a proxy server and a web server behind a firewall/gateway. The
proxy and the web server now have private addresses but they used to
have public addresses. Since I can't make changes to the DNS server, I
added those two old addresses to the firewall's eth0 interface and
then I added the following rules to iptables:

*filter
#http requests
-A FORWARD -i eth0 -o eth1 -p tcp --syn -d 192.168.0.3 --dport 80 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp --syn -d 192.168.0.3 --dport 443 -j ACCEPT

#Ezproxy
-A FORWARD -i eth0 -o eth1 -p tcp --syn -d 192.168.0.2 --dport 2048 -j ACCEPT
COMMIT

*nat
#forwarding and NAT
-A POSTROUTING -o eth0 -j SNAT --to FIREWALL_IP

#web server
-I PREROUTING -i eth0 -p tcp -d OLD_WEB_IP --dport  80  -j DNAT --to
192.168.0.3:80
-I PREROUTING -i eth0 -p tcp -d OLD_WEB_IP --dport  443 -j DNAT --to
192.168.0.3:443

#Ezproxy
-I PREROUTING -i eth0 -p tcp -d PROXY_IP --dport  2048 -j DNAT --to
192.168.0.2:2048
COMMIT

The proxy server authenticates users by connecting to a database
that's not behind the firewall. I looked at the log files of the
database server and I noticed that the firewall's IP address is the
one that's showing up instead of the address of the proxy server.

I just read the NAT howto from netfilter.org and I guess this line the
responsible for that behavior.
-A POSTROUTING -o eth0 -j SNAT --to FIREWALL_IP

Is it possible to make requests for PROXY_IP go out with the PROXY_IP
address instead of the FIREWALL_IP?
If so, how can I do that? Or where do I find info about what I want to do?

Thanks.

next             reply	other threads:[~2005-02-22 22:24 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-02-22 22:24 Kirk [this message]
     [not found] ` <421BB636.8050104@arcoscom.com>
2005-02-23 21:24   ` Confused about NAT and forwarding Kirk
  -- strict thread matches above, loose matches on Subject: below --
2005-02-22 23:48 Kirk

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48be50bb050222142429a5be8f@mail.gmail.com \
    --to=whereisgui@gmail.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.