connecting through firewall

Brad Chapman kakadu@earthlink.net
Fri, 27 Jul 2001 16:22:06 -0400 

Mr. Linabery,

   Please excuse the horrifying ASCII art, but I think this is what your 
network
looks like:

   webby ---------------------> gates ----------------------> intern
   192.168.1.x        192.168.1.1   10.0.0.1                  10.0.0.x

   You bind a socket on webby, call it 192.168.1.x:35265, and you 
communicate
to gates on 192.168.1.1:2345, BUT you instead want it to fo through gates to
intern at 10.0.0.x:2345. Am I right so far?

   If I am, then you don't want to do DNAT, you want to do SNAT, like this:

   iptables -t nat -A POSTROUTING -p tcp --dport 2345 -j SNAT --to 
10.0.0.x:2345

   Do this on gates, and hopefully this will allow webby's Java program 
to yak to
your webserver on intern and send the required file.

   If any of this is wrong, please clarify whatever is horribly wrong ;-)

Brad

Steve Linabery wrote:

> Hi,
> 
> I'm using iptables as the firewall on a gateway between our LAN and our
> dsl router.
> 
> I'm running a webserver on a static public ip address.  I want to run a
> java server program on a box on the internal LAN (192.168.1.x) that will
> serve a file needed occasionally by the public webserver.
> 
> Let's call these three hosts webby, gates, and intern.
> 
> I want to run a java program on webby that opens a socket to gates on
> port 2345, but the connection is really made to intern.  So the process
> on webby should be able to write to the socket, intern should be able to
> read from the socket, and write back to webby.
> 
> I've tried doing something like this on gates:
> /path/to/iptables -t nat -A PREROUTING -i (internet interface) -p tcp -s
> (webby ip) --dport 2345 -j DNAT --to-destination (intern ip)
> 
> I'm doing masquerading on the internal LAN boxes, so they can do things
> like browse the internet, etc., with no trouble, so it doesn't seem like
> I should need to set up the nat going out (since it's already set up).
> 
> When I try to telnet to a server process on intern, it just hangs.
> 
> I'm thinking I need to add a rule to the packet filter to allow packets
> going to intern's ip address to go through.
> 
> But if anyone has a quick suggestion for how to set this up (and is
> still reading this), please let me know.
> 
> Thanks,
> Steve Linabery
>