Unexpected NAT behavior
13 Mar 2002 18:58:34 -0600
First off, please reply to me since for some reason I can't subscribe to
the list. Thanks.
I'm noticing some behavior that I think might be caused by NAT confusion
(or probably my confusion). Here's my setup:
machine1 with 2 eth interfaces running pppoe and iptables
machine2 with 1 eth interface running ssh
machine3 with 1 eth interface running apache
Here's what my connections look like. (188.8.131.52 is my real external IP)
184.108.40.206 192.168.1.1 192.168.1.2
machine1 does masquerading to allow all machines behind it external
access by doing:
/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o
ppp0 -j MASQUERADE
machine1 also needs to do DNAT to allow external connections to machine2
for ssh and machine3 for apache by doing:
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 22 -d 220.127.116.11 -j DNAT
/sbin/iptables -t nat -A PREROUTING -p udp --dport 22 -d 18.104.22.168 -j DNAT
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -d 22.214.171.124 -j DNAT
/sbin/iptables -t nat -A PREROUTING -p udp --dport 80 -d 126.96.36.199 -j DNAT
Here's the behavior I see. When an external host (i.e. 188.8.131.52) tries to
access either ssh or web on my ip (184.108.40.206), everything works dandy.
When any internal host (say 192.168.1.2) tries to access these services
via my external ip (i.e., lynx 220.127.116.11) the attempt times out. I've
tried by putting the DNAT rules first followed by the MASQUERADE rules
and vice versa to no avail.
I've added in logging before the DNAT rules and MASQUERADE rules to see
what's happening and here's what I see. If from 192.168.1.2 I do a "lynx
www.iptables.org" I see a masqueraded connection. If from 192.168.1.2 I
do a "lynx 18.104.22.168" I see only a Web connection, no masquerade
Any suggestions? Thanks!