Problems with PREROUTING

Jefferson Cowart jeff@cowart.net
Mon, 7 Jan 2002 23:46:39 -0800 

Almost...I has this problem recently. You need to leave that PREROUTING
rule in place and also add the POSTROUTING rule. What you did caused the
requests to get forwarded but the server would look at the source
address and see that it was on the same network so the responses would
be returned directly to the machine. The machine would look at the
packets and be confused by them as it never sent any packets to the IP
address the packets would be returning from. The POSTROUTING rule below
forces all transmissions to go through the router which then has the
ability to properly mask the source AND destination as necessary. 

----------------
Thanks
Jefferson Cowart
Jeff@cowart.net 

-----Original Message-----
From: "Darrell Dieringer" <netfilter@darrelldieringer.com>
To: <netfilter@lists.samba.org>,
	"Rimantas Mocevicius" <rmocius@auste.elnet.lt>
Subject: RE: Problems with PREROUTING
Date: Mon, 7 Jan 2002 15:00:43 -0600

Hello,

With the help of another lister, I solved the very same problems last
weekend.  You need to take out the "PREROUTING" rule you added, and do
this instead...

# SNAT if source is internal
iptables -t nat -A POSTROUTING -p tcp --dport 80 -d $<internal box>
   -s $<anywhere in the internal network - probably 10.0.0.0/8>
   -j SNAT --to $<ip_addr_of_NIC_serving_internal_network>

See this link to understand why this works...
http://netfilter.samba.org/unreliable-guides/NAT-HOWTO/NAT-HOWTO.linux
doc-10.html

So anyone searching the archives in the future can find this posting,
here are some key words...
"port forward" "onto same network".

In fact, a google search for "onto same network" +forward +linux gives
quit a few hits.

Good Luck,

D

-----Original Message-----

I have the Firewall and Web servers.
I use PREROUTING to forward from external IP to internal IP this
command:

 iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp
    -d $EXTERNALIP --dport 80 -j DNAT --to-destination
10.105.105.198:80

and tried to add this:

 iptables -t nat -A PREROUTING -i $LOCAL_INTERFACE_1 -p tcp
    -d $EXTERNALIP --dport 80 -j DNAT --to-destination
10.105.105.198:80

Everything works fine except I can't open my web page from internal
network.





--__--__--

_______________________________________________
netfilter mailing list
netfilter@lists.samba.org
http://lists.samba.org/listinfo/netfilter


End of netfilter Digest