DNAT again
Derrik Pates
dpates@dsdk12.net
Fri, 27 Jul 2001 13:41:20 -0600 (MDT)
On Fri, 27 Jul 2001, Harald Scharf wrote:
> The Problem was :
> DNAT worked fine from the Internet (external) , but if a request came from
> the internal Network ,
> the Translation Failed.
Yes, read the HOWTOs. The problem is that when the packet is redirected on
the same network, it's happily forwarded on to the new target - but the
new target sees that the source address is on its subnet, so it sends the
response packet directly back to the machine that initiated the
connection. However, because the source machine thinks it's talking to the
redirecting machine, NOT the machine that sent it a packet, it gets
confused, and the connection times out.
Basically, you have to add an SNAT in the POSTROUTING table for packets
that are targeted to the "new" destination from an internal IP address.
That way, the target machine knows to send the packet back to the
redirecting machine, to have the NATing reversed, and the packet passed
back to the source system. It has a little overhead because the packets
then have to go back to the machine doing the redirection, but there's no
other clean way to do it.
Derrik Pates | Sysadmin, Douglas School | #linuxOS on EFnet
dpates@dsdk12.net | District (dsdk12.net) | #linuxOS on OPN