donaldm314 at gmail.com
Wed Jul 13 05:21:43 CEST 2005
On 7/11/05, Jason Opperisano <opie at 817west.com> wrote:
> On Mon, Jul 11, 2005 at 11:18:30AM -0400, Payal Rathod wrote:
> > Hi,
> > I have a rule on my friend's broadband connection to redirect traffic
> > from outside to an internal machine like,
> > iptables -A PREROUTING -d 220.127.116.11 -p tcp -m tcp --dport 80 -j DNAT \
> > --to-destination 192.168.10.10:80
> > But she complained that people from inside the network cannot do
> > http://18.104.22.168 in their browser and see the site. Is she correct?
> > What is wrong with my rule because I can see the site from outside?
> 1) client; say 192.168.10.100, sends TCP SYN to 22.214.171.124
> 2) iptables machine receives packet destined for 126.96.36.199, DNAT's it to
> 192.168.10.10 and forwards the packet out the internal interface
> 3) 192.168.10.10 receives TCP SYN from 192.168.10.100 and replies
> directly to 192.168.10.100 with a SYN/ACK
> 4) client; 192.168.10.100, receives SYN/ACK from 192.168.10.10 and
> discards it, as it matches no connection in the SYN_SENT state
> (recall that our SYN was sent to 188.8.131.52).
> that the why. the proper way to avoid this is to have people on the
> inside connect to 192.168.10.10. i will leave all the half-assed
> work-arounds and kludges as an exercise for the reader and other
> "Peter: This party couldn't be better if Jesus was here.
> Jesus: For my next miracle, I will turn water... into FUNK."
> --Family Guy
Because the destination server is on the same subnet, users on the inside
could indeed connect directly to that machine. Alternatively this could be
handled via DNS.
However, if the destination server is inside a DMZ, the firewall needs
to DNAT in
PREROUTING and SNAT in POSTROUTING. The DNAT gets traffic to
the DMZ, the SNAT allows it back. Something like:
iptables --table nat -A PREROUTING -p tcp -i $LAN_INTERFACE --dport http \
-d $INTERNET_IP -j DNAT --to-destination $DMZ_HTTP_IP
iptables --table nat -A POSTROUTING -d $DMZ_HTTP_IP -s $LAN_IP_RANGE \
-p tcp --dport http -j SNAT --to-source $LAN_IP
More information about the netfilter