* [LARTC] DNAT rare problem...
@ 2003-07-17 0:32 ThE PhP_kiD
2003-07-17 4:51 ` Martin A. Brown
0 siblings, 1 reply; 2+ messages in thread
From: ThE PhP_kiD @ 2003-07-17 0:32 UTC (permalink / raw)
To: lartc
Hi!
I've the next network:
inet
|
|
| 20.5.90.194/26
| 20.5.90.195/26
---------------------
| eth0 |
| |
| internet gateway |
| |
| eth1 |
---------------------
| 192.168.100.254/24
| 192.168.210.254/24
|
+------------------+-----+----------------+
| | |
| 192.168.100.1/24 | 192.168.210.1 |
| | |192.168.210.2
-------------- +------------+ +--------+
| eth0 | | host 1 | | host 2 |
| SENDMAIL | +------------+ +--------+
--------------
The internet gateway is a linux 2.4.21 with iptables 1.2.8
On eth0, it haves two IPs public:
20.5.90.194/26
20.5.90.195/26
Since I can't to route last public IPs, and I need to run
a Sendmail server that can be visible from internet, I have maked
a DNAT rule, (and some SNAT rules too, in order to provide
internet access to LAN)
# iptables -L -t nat -n
give me the next:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT all -- 0.0.0.0/0 200.5.90.195 to:192.168.100.1
ACCEPT all -- 192.168.100.1 0.0.0.0/0
ACCEPT all -- 192.168.210.1 0.0.0.0/0
ACCEPT all -- 192.168.210.2 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 192.168.100.0/24
SNAT all -- 192.168.100.1 0.0.0.0/0 to:20.5.90.195
SNAT all -- 192.168.210.1 0.0.0.0/0 to:20.5.90.194
SNAT all -- 192.168.210.2 0.0.0.0/0 to:20.5.90.194
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
From Internet (wan site), I can reach without problems the Sendmail server
host, making ping to 20.5.90.195, and open port 25.
From Lan side (hosts 192.168.102.1 or 192.168.102.2), I can ping to 20.5.90.195
but I can't to open port 25...
(but sometimes, I can do it !!)
What happen ????????
Thank you very very much in advance.
Mac
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: [LARTC] DNAT rare problem...
2003-07-17 0:32 [LARTC] DNAT rare problem ThE PhP_kiD
@ 2003-07-17 4:51 ` Martin A. Brown
0 siblings, 0 replies; 2+ messages in thread
From: Martin A. Brown @ 2003-07-17 4:51 UTC (permalink / raw)
To: lartc
Hello there Mac,
[ nicely drawn map snipped ]
[ succinct NAT tables snipped ]
: From Internet (wan site), I can reach without problems the Sendmail
: server host, making ping to 20.5.90.195, and open port 25.
Seems correct.
: From Lan side (hosts 192.168.102.1 or 192.168.102.2), I can ping to
: 20.5.90.195 but I can't to open port 25...
Interesting. I wouldn't expect that to work at all.
: (but sometimes, I can do it !!)
Even more interesting....
Is the linux NAt/masq router perhaps not suppressing ICMP redirects?
: What happen ????????
I'd suggest using DNAT for packets on the way in from the internal network
(your existing rules should take care of this), and using SNAT for packets
destined for the sendmail box from the internal network.
iptables -t nat -s 192.168.102.0/24 -d 20.5.90.195 -p tcp --dport 25 \
-j SNAT --to-source 192.168.100.254
-Martin
P.S., A far better solution would be to use split-horizon DNS and have the
internal hosts connect to the private IP address.
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-07-17 4:51 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-07-17 0:32 [LARTC] DNAT rare problem ThE PhP_kiD
2003-07-17 4:51 ` Martin A. Brown
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.