Hi Tomas, In the case where you removed the -i $EXTIF, the traffic flows from your workstation, to the router, and then to your apache server. The response however, is sent from your apache server directly to your workstation, bypassing your router because the source address is in the same subnet as apache.
To fix this, add an SNAT rule so the source address is the router. $IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -d 192.168.0.2 -j SNAT --to 192.168.0.1 Hope that helps, Wade. On March 17, 2004 11:49 am, Tomas Florian wrote: > Hello, > > I have a masquerade setup on my router in the following way: > > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE > > Additionally I'm prerouting all of the http traffic to a second server > (192.168.0.2) because that's where I have my apache running. > > $IPTABLES -t nat -A PREROUTING -i $EXTIF -p TCP --dport 80 -j DNAT --to > 192.168.0.2:80 > > This works great ... when I'm on the outside network I can get to my web > server and all my internal clients have access to the internet. > > The problem is that when I'm on the internal network (192.168.0.x) and I'm > trying to get to my web server let's say: www.bla.com which has public ip > say: 139.142.1.100 the prerouting rule above does not work anymore. It > just looks for a web server running on the router machine which is not what > I want. I suspect I know why it's doing it, but I'm not sure what the > solution is ... or if there even is any. My understanding of NAT is that > it is translating the addresses only in one direction, so the problem I'm > having arises because I'm asking it to do NAT in the direction that it is > not setup to work. > > My temporary solution is to go to the web server by typing > http://192.168.0.2 but this is not what I want at all. > > I also tried taking out the -i $EXTIF from my rule but that didn't help > either: > $IPTABLES -t nat -A PREROUTING -p TCP --dport 80 -j DNAT --to > 192.168.0.2:80 > > Any ideas anyone? > > Thanks, > Tomas > > > > > _______________________________________________ > clug-talk mailing list > [EMAIL PROTECTED] > http://clug.ca/mailman/listinfo/clug-talk_clug.ca _______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
