Donald Murray donaldm314 at gmail.com
Wed Jul 13 05:21:43 CEST 2005

On 7/11/05, Jason Opperisano <opie at 817west.com> wrote:
> On Mon, Jul 11, 2005 at 11:18:30AM -0400, Payal Rathod wrote:
> > Hi,
> > I have a rule on my friend's broadband connection to redirect traffic
> > from outside to an internal machine like,
> >
> > iptables -A PREROUTING -d -p tcp -m tcp --dport 80 -j DNAT  \
> > --to-destination
> >
> > But she complained that people from inside the network cannot do
> > in their browser and see the site. Is she correct?
> > What is wrong with my rule because I can see the site from outside?
> 1)  client; say, sends TCP SYN to
> 2)  iptables machine receives packet destined for, DNAT's it to
> and forwards the packet out the internal interface
> 3) receives TCP SYN from and replies
>     directly to with a SYN/ACK
> 4)  client;, receives SYN/ACK from and
>     discards it, as it matches no connection in the SYN_SENT state
>     (recall that our SYN was sent to
> that the why.  the proper way to avoid this is to have people on the
> inside connect to  i will leave all the half-assed
> work-arounds and kludges as an exercise for the reader and other
> posters.
> -j
> --
> "Peter: This party couldn't be better if Jesus was here.
>  Jesus: For my next miracle, I will turn water... into FUNK."
>         --Family Guy

Because the destination server is on the same subnet, users on the inside
could indeed connect directly to that machine. Alternatively this could be
handled via DNS.

However, if the destination server is inside a DMZ, the firewall needs
to DNAT in
PREROUTING and SNAT in POSTROUTING. The DNAT gets traffic to
the DMZ, the SNAT allows it back. Something like:

    iptables --table nat -A PREROUTING -p tcp -i $LAN_INTERFACE --dport http \
        -d $INTERNET_IP -j DNAT --to-destination $DMZ_HTTP_IP

    iptables --table nat -A POSTROUTING -d $DMZ_HTTP_IP -s $LAN_IP_RANGE \
        -p tcp --dport http -j SNAT --to-source $LAN_IP

More information about the netfilter mailing list