From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paul Wouters paul@xtdnet.nl
Date: Fri, 02 Mar 2001 17:24:39 +0000
Subject: [LARTC] NAT+portfw failure
Message-Id: <marc-lartc-98373940417077@msgid-missing>
List-Id: <lartc.vger.kernel.org>
References: <marc-lartc-98373940417054@msgid-missing>
In-Reply-To: <marc-lartc-98373940417054@msgid-missing>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: lartc@vger.kernel.org

<PRE>On Wed, 28 Feb 2001, striscio wrote:

&gt;<i> Subject: Re: [LARTC] NAT+portfw failure
</I>
There is answer is at:

<A HREF="http://netfilter.kernelnotes.org/unreliable-guides/NAT-HOWTO/NAT-HOWTO.linuxdoc-10.html">http://netfilter.kernelnotes.org/unreliable-guides/NAT-HOWTO/NAT-HOWTO.linuxdoc-10.html</A>

Paul


The classic case is that internal staff try to access your `public' web server, which is actually DNAT'ed from the public address (1.2.3.4) to an internal machine
(192.168.1.1), like so:

     # iptables -t nat -A PREROUTING -d 1.2.3.4 \
             -p tcp --dport 80 -j DNAT --to 192.168.1.1

One way is to run an internal DNS server which knows the real (internal) IP address of your public web site, and forward all other requests to an external DNS
server. This means that the logging on your web server will show the internal IP addresses correctly.

The other way is to have the NAT box also map the source IP address to its own for these connections, fooling the server into replying through it. In this example,
we would do the following (assuming the internal IP address of the NAT box is 192.168.1.250):

     # iptables -t nat -A POSTROUTING -d 192.168.1.1 -s 192.168.1.0/24 \
             -p tcp --dport 80 -j SNAT --to 192.168.1.250

Because the PREROUTING rule gets run first, the packets will already be destined for the internal web server: we can tell which ones are internally sourced by the
source IP addresses.




</PRE>