From: "Vlad Mihai" <mihaivlad@web-profile.net>
To: lartc@vger.kernel.org
Subject: [LARTC] DNAT issues
Date: Thu, 21 Aug 2003 17:50:22 +0000 [thread overview]
Message-ID: <marc-lartc-106148898520234@msgid-missing> (raw)
Hi guys,
Suppose I have the following configuration:
------------------
LAN --------| eth0 eth1 |-------Internet
| |
------------------
Linux Router
eth0_IP = 192.168.0.1 (LAN)
eth1_IP = 194.105.29.2 (IP)
I use the machine only as a router so all the other services (HTTP, FTP)
are
hosted on another machine, connected in my LAN (192.168.0.2)
My LAN clients use the Linux machine as a NAT firewall. (SNAT in fact)
I have only one IP given by my ISP, for my whole home network
(194.105.29.2)
So accessing different services on my LAN, from the internet, must be
done through
that single IP (even though the services are hosted on different
machines).
So the solution is DNAT :)
Here is what I have done:
iptables -t nat -A PREROUTING -i eth1 -d 194.105.29.2 -p TCP --dport 80
-j DNAT --to-destination 192.168.0.2
When I try to access the web server from the Internet the DNAT is
working!
Now, the problem comes when a machine like 192.168.0.121 wants to access
the web server.
(Keep in mind that the client - 192.168.0.121 is on the same subnet as
the web server - 192.168.0.2)
This machine (192.168.0.121) will send a request to 194.105.29.2 wanting
to access the web server.
The router will "redirect" the request to 192.168.0.2 (as it is supposed
to do).
Now when the packets arrive on 192.168.0.2, the web server will see
packets from 192.168.0.121.
He will send the packets to 192.168.0.121 as it was requested, BUT NOT
THROUGH THE ROUTER!!!
192.168.0.2 is on the same subnet as 192.168.0.121, so the packets will
follow the shorter route,
avoiding the Linux router.
Now, the web browser on 192.168.0.121 will see packets coming from
192.168.0.2, and it will assume
they are bogus packets, and will ignore them... SO, NO CONNECTION...
Remember 192.168.0.121 asked for packets from 194.105.29.2 and not from
192.168.0.2!!!
What can I do to allow my LAN clients to access the web server through
the router?
Please write me a line of code :) I am new to "iptables" :(
Thanking you in advance,
Mihai Vlad
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next reply other threads:[~2003-08-21 17:50 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-08-21 17:50 Vlad Mihai [this message]
2003-08-21 18:21 ` [LARTC] DNAT issues Ethy H. Brito
2003-08-21 19:03 ` FW: " Vlad Mihai
2003-08-21 21:22 ` Vlad Mihai
2003-08-22 2:53 ` S Mohan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-106148898520234@msgid-missing \
--to=mihaivlad@web-profile.net \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.