How do you route packets from internal network?

Obsid obsid@Sentry.net
Tue, 14 Nov 2000 22:40:06 -0800 (PST) 

Hello,

Common configuration problem.
The problem is basically that when you send a request to your www it is
"redirected" to your internal machine, 192.168.1.2.  Then when 192.168.1.2
wants to reply it sees that the requesting machine, 192.168.1.3, is on the
same subnet so it replies directly.  As a result the Synch numbers don't
match up, and when a reply is sent back to the requesting
machine(192.168.1.3) it immediately sends a reset to 192.168.1.2 to try
and resynch the connection.  Check out tcpdump to see this.

The packet needs to pass back through the firewall in order to make this
work properly.  Here's an example:

## DNAT ##
/usr/local/bin/iptables -t nat -A PREROUTING -i eth0 -p tcp \
	-s 192.168.1.0/24 -d 1.2.3.4 --dport 80 \
	-j DNAT --to 192.168.1.2:80

## SNAT ##
/usr/local/bin/iptables -t nat -A POSTROUTING -o eth0 -p tcp \
	-s 192.168.1.0/24 -d 192.168.1.2 --dport 80 \
	-j SNAT --to 192.168.1.1

So, basically, we're changing both source and destination IP addresses
under only specific circumstances.  As far as 192.168.1.2 is concerned,
it's talking to the firewall throughout the whole transfer.

This, uh, works.  Some wierdnesses have popped up with this config.  If at
all possible, throw another NIC in the box and put the web server on a
DMZ, on another subnet.  May save some headaches

-Obsid
http://www.sentry.net/~obsid/


On Tue, 14 Nov 2000, andy sullivan wrote:

> All I am trying to accomplish is redirecting port 80 (WWW) from my firewall,
> to an internal machine.  Easy right?  Netfilter handles this fine.  However,
> if I try to browse that server from another machine on the internal network
> it fails.  As of now I am using the "REDIR" proxy I downloaded from
> freshmeat long ago to circumvent this problem.  It looks to me that the
> netfilter howto says this can be done by adding a DNAT rule to the OUTPUT
> chain in the NAT table.
>
> For instance, doing something like this:  iptables -t nat -A OUTPUT -p
> tcp -d <external ip> --dport 80 -j DNAT --to <internal ip>
>
> Is this not what the above command accomplishes?  If not can something
> please give me the proper syntax.  To clarify I will give more specifics on
> my network layout.
>
> My firewall has two NICS.  External nic is IP:  1.2.3.4 and Internal nic is
> IP: 192.168.1.1 (internal net is 192.168.1.0/24).  Lets say I have a web
> server running on the standard port 80 in the internal net on IP
> 192.168.1.2.  Now lets say I have another computer in the internal net with
> IP 192.168.1.3.  From 192.168.1.3 I try to browse using internal IP
> 192.168.1.2 and it works fine.  If I try to browse to external IP 1.2.3.4 no
> server is found.  Is there a way to use either the NAT or MANGLE table to
> accomplish this?  I would rather not rely on using the REDIR proxy anymore
> if iptables can accomplish this.
>
> Andy
>
>
>