nat troubles

Bernd Podey Bernd.Podey@gmx.de
Fri, 10 Nov 2000 08:44:31 +0100 

Hello!

I think you will need a source address translation on your firewall. 


at first use your command for the destination nat:

iptables -t nat -A PREROUTING -p tcp -s 192.168.0.0/24 -d <real ip>
--dport 80 -i eth1 -j DNAT --to 192.168.0.10:80

and then the SNAT:

iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 192.168.0.10
--dport 80 -i eth1 -j SNAT --to <internal IP-Address of your Linux-Box> 

This will force the packets going back to the Linux-Box and being
re-nated, so the Packet came from the destination the local Computer
send the first packet to.

I hope this will help You

Bernd

 
geoffrey@ticom.com schrieb:
> 
> Okay, can someone **PLEASE** clue me?!!!! I cannot get NAT to make
> internal requests for my NAT'd web server go to the correct internal
> address! I have pretty much ground my teeth to knubs by now. My first
> attempt was straight from the NAT-HOWTO by Rusty:
> 
> iptables -A OUTPUT -t nat -p tcp -d <real ip> --dport 80 -j DNAT \
> --to 192.168.0.10:80
> 
> This didn't work. Then I saw the post by Harald regarding "OUTPUT" not
> working, and to not use it. So, I pressed on. I then tried:
> 
> iptables -t nat -A PREROUTING -p tcp -d <real ip> --dport 80 -i eth1 \
> -j DNAT --to 192.168.0.10:80
> 
> This also didn't work. Next I tried this:
> 
> iptables -t nat -A PREROUTING -p tcp -s 192.168.0.0/24 -d <real ip>
> --dport 80 -i eth1 -j DNAT --to 192.168.0.10:80
> 
> No joy! What really bothers me is the fact that the internal machines can
> get to the webserver by using its "correct" internal ip address! I need to
> solve this issue so I know how to do the same for my dns, smtp, pop3, ftp,
> nntp, etc. servers. Thanks for any and all help.
> 
> geoffrey
> --
> +++++++++++++++++++++++++++++++++++
> Santa Claus,
> the Tooth Fairy,
> Windows 2000 ...
> Some things you just outgrow.
> ++++++++++++++++++++++++++++++++++
> 
> Key fingerprint ===> B83C C6E1 68F8 CEC9 8636  86B5 1F0E 9D33 E749 1BA6
> Public key available upon request.
> 
>   ------------------------------------------------------------------------
>    Part 1.2Type: application/pgp-signature