DNAT from internet _and_ internal LAN

Michael Baltaks mbaltaks@mac.com
Wed, 4 Jul 2001 09:37:23 +1000 

Hi,

I have a debian Gnu/Linux internet gateway running kernel 2.4.4 with 
iptables, and I have a website on an internal machine which is 
exposed to the internet via DNAT.

The relevant lines from my firewall script:

# Web server
$IPTABLES -A PREROUTING -t nat -p TCP -d $INET_IP --dport 80 -j DNAT 
--to $DMZ1:80
$IPTABLES -A POSTROUTING -t nat -p TCP -d $DMZ1 --dport 80 -s 
$LAN_IP_RANGE -j SNAT --to $LAN_IP
$IPTABLES -A OUTPUT -t nat -p TCP -d $INET_IP --dport 80 -j DNAT --to $DMZ1:80
# Enable web server
$IPTABLES -A FORWARD -p tcp -d $DMZ1 --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $DMZ1 --sport 80 -j ACCEPT

This works fine from the internet, but I get the following tcpdump 
when using 'telnet $INET_IP 80' from the gateway box itself:
17:07:05.302965 gateway.zbcom.net.1861 > zephyr01.zbcom.net.www: S 
364682501:364682501(0) win 16396 <mss 16396,sackOK,timestamp 
11729286[|tcp]> (DF) [tos 0x10]
17:07:05.303196 zephyr01.zbcom.net.www > gateway.zbcom.net.1861: S 
698326:698326(0) ack 364682502 win 8760 <mss 1460> (DF)
17:07:05.303436 gateway.zbcom.net.1024 > zephyr01.zbcom.net.www: R 
364682502:364682502(0) win 0 (DF)
17:07:08.262859 zephyr01.zbcom.net.www > gateway.zbcom.net.1861: S 
698326:698326(0) ack 364682502 win 8760 <mss 1460> (DF)
17:07:08.263132 gateway.zbcom.net.1024 > zephyr01.zbcom.net.www: R 
364682502:364682502(0) win 0 (DF)
17:07:08.300323 gateway.zbcom.net.1861 > zephyr01.zbcom.net.www: S 
364682501:364682501(0) win 16396 <mss 16396,sackOK,timestamp 
11729586[|tcp]> (DF) [tos 0x10]
17:07:08.300445 zephyr01.zbcom.net.www > gateway.zbcom.net.1861: . 
ack 1 win 8760 (DF)
17:07:08.300656 gateway.zbcom.net.1024 > zephyr01.zbcom.net.www: R 
364682502:364682502(0) win 0 (DF)

So the first two parts of the handshake happen OK, but then the third 
part is sent from a different port (1024 instead of 1861) - and I 
can't work out why that is. I'm making a connection from the gateway 
itself because I have a proxy server on this box and I would like 
that to work.

It currently doesn't work, so if anyone could give me a suggestion as 
to why I'd be a happy man again. ;)

-Michael.