From: Magnus Solvang <magnus@solvang.net>
To: netfilter@lists.netfilter.org
Subject: Re: lan users surfing on lan webserver
Date: Mon, 3 Mar 2003 14:37:01 +0100 [thread overview]
Message-ID: <20030303133701.GD7199@first.knowledge.no> (raw)
In-Reply-To: <20030227123531.GA26259@first.knowledge.no>
I'm trying this one one more time, since I still haven't found a
solution.
I have moved a webserver behind my iptables-firewall.
Outside dns for this webserver still points to its external ip-address,
so I've set up the firewall to listen to this ip-address (ethx-alias),
and forward the traffic to the internal webserver using DNAT. This
works.
However, the clients on the LAN cannot use the external URL to surf to
this machine, they have to use its internal ip-address (I know I could
set up Bind on the inside, but I'm trying to avoid this).
I'm using the solutions suggested in the NAT-Howto:
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html
but the traffic is not reaching the internal webserver.
Using tcp-dump, I see that when the client tries to connect to
http://$external_url/
it connects to the ethX-alias on the firewall (the webservers old
ip-address), and thus gets a "Connection refused", since the firewall
isn't running a webserver - it's only supposed to forward the traffic
bound for this ip-address to the internal webserver. But the forwarding
is not working when initiated from the LAN.
I have this relevant FORWARD chain:
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -d $EXTWEBSERVER1 --dport 80 -j ACCEPT
PREROUTING:
$IPTABLES -t nat -A PREROUTING -i $EXTIF -d $EXTWEBSERVER1 -p tcp \
--dport 80 -j DNAT --to $INTWEBSERVER1
POSTROUTING (http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html)
$IPTABLES -t nat -A POSTROUTING -d $INTWEBSERVER1 -s $INTRANET -p tcp \
--dport 80 -j SNAT --to-source 192.168.1.20
192.168.1.20 being the firewalls LAN-address...
- M
next prev parent reply other threads:[~2003-03-03 13:37 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-02-25 21:53 lan users surfing on lan webserver Magnus Solvang
2003-02-27 12:35 ` Magnus Solvang
2003-02-27 13:51 ` Problem with string hare ram
2003-02-27 13:48 ` Problem with string (remove References-line in mailhead) Magnus Solvang
2003-02-27 14:37 ` Joel Newkirk
2003-02-27 15:01 ` Magnus Solvang
2003-02-27 14:36 ` Problem with string Raymond Leach
2003-03-03 13:37 ` Magnus Solvang [this message]
2003-03-03 13:59 ` lan users surfing on lan webserver Joel Newkirk
2003-03-03 14:47 ` Magnus Solvang
-- strict thread matches above, loose matches on Subject: below --
2003-02-26 1:37 Andrej Ricnik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030303133701.GD7199@first.knowledge.no \
--to=magnus@solvang.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox