locally access server behind firewall

Daniel Chemko dchemko at smgtec.com
Wed Sep 1 20:20:55 CEST 2004

Deepak Seshadri wrote:
> Hi Tom,
> I think your Apache server is expecting connections on port 80 & your
> Nat'ing will occur only if the packet comes in form the $WWW
> interface. Since you are on the local LAN the packets are not Nat'ted
> and hence you get the connection refused from the server as it is
> getting requests on a port where no application is listening.
> You don't need any rule, just type http://myserver.com within the LAN.


You root problem is that your resolving myserver.com as an intrernet
address. The client connects to the GW (linux) in order to get routed to
the box. The linux machine passes the connection request on to
${internal_www} server without making any changes. The Server reads the
client's source address (knowing its in the internal network) and passes
it back to the client directly. So, your route  now looks like this:


The every packet after the SYN will be tossed because the firewall never
received the corresponding SYN-ACK packet from ${internal_www}


There are two ways to accomplish this: The right way and the wrong way.
The easiest way is just to implement the lines below.
	iptables -t nat -A POSTROUTING --destination ${internal_www} -p
tcp --dport 80 -j SNAT ${internal_gw_ip}
	# In case this isn't covered by other rules, you need a loopback
rule for that network interface
	iptables -A FORWARD -i ${internal_if} -o ${internal_if} -j

The other solution is to use Split DNS. Where myserver.com resolves to
an internal DNS address like instead of There's a
lot of information about split-dns on the internet. I'm not going to
repeat it here again and again...

More information about the netfilter mailing list