From: Morgan Read <mstuff@read.org.nz>
To: Grant Taylor <gtaylor@riverviewtech.net>
Cc: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: IP redirect?
Date: Thu, 23 Oct 2008 22:51:38 +1300 [thread overview]
Message-ID: <4900492A.1050101@read.org.nz> (raw)
In-Reply-To: <48FCB064.1020907@riverviewtech.net>
Below:
On 21/10/08 05:23, Grant Taylor wrote:
> On 10/20/08 04:34, Morgan Read wrote:
>> To redirect lan traffic addressed to the wan IP (e.g.) 123.456.789.012
>> to the lan IP address 192.168.1.123, I'm using the following:
>> $ iptables -t nat -I PREROUTING 1 -d 123.456.789.012 -j DNAT
>> --to-destination 192.168.1.123
>>
>> But, all internal traffic seems to get lost - 18 months ago when I
>> last did this, traffic to 123.456.789.012 seemed to hit 192.168.1.123
>> and come back without problem.
>
> Please search the mailing list archives for the "TCP Triangle". The
> most recent thread was "routing all HTTP requests to my own web server".
> Also, take a look at one of Julian's images
> "http://jengelh.hopto.org/images/dnat-mistake.png" for more information.
OK, thank you
>
>> I've added the following, with some interesting results:
>> $ iptables -t nat -I POSTROUTING 1 -s 192.168.1.40 -j SNAT --to-source
>> 58.28.20.69
>
> *nod*
>
>> Now, the traffic from the specific lan IP 192.168.1.123 does seem to
>> be redirected correctly and come back to itself. But still, all other
>> lan traffic seems to get lost.
>
> This is as I would expect.
>
>> Any ideas what's happening, where I'm getting lost?
>
> You are only SNATing traffic from (-s) 192.168.1.40. Try SNATing all
> traffic from your local LAN that is being redirected to your system.
>
> $ iptables -t nat -I POSTROUTING 1 -s 192.168.1.0/24 -d 192.168.1.123 -j
> SNAT --to-source 58.28.20.69
Thank you, it works - any ideas why why the DNAT worked on it's own with
out the SNAT 18 months ago? Or is that a silly question...
Many thanks,
M.
--
Getting errors: "There are problems with the signature" (or similar)?
Update your system by installing certificates from CAcert Inc, see here:
http://wiki.cacert.org/wiki/BrowserClients?#head-259758ec5ba51c5205cfb179cf60e0b54d9e378b
Or, if Internet Explorer is your default browser, simply click this link:
http://www.cacert.org/index.php?id=17
Morgan Read
NEW ZEALAND
<mailto:mstuffATreadDOTorgDOTnz>
fedora & freedom; fact || fiction?
http://fedoraproject.org/wiki/Overview
get freed-ora!
http://www.fsfla.org/svnwiki/selibre/linux-libre/freed-ora
next prev parent reply other threads:[~2008-10-23 9:51 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-20 9:34 IP redirect? Morgan Read
2008-10-20 16:23 ` Grant Taylor
2008-10-23 9:51 ` Morgan Read [this message]
2008-10-23 13:56 ` Grant Taylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4900492A.1050101@read.org.nz \
--to=mstuff@read.org.nz \
--cc=gtaylor@riverviewtech.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.