I've been down this route before, and there are a couple of ways to fix it.
1) If you are only dealing with one workstation (or a small number of them), then
simply add an entry in your HOSTS file for the web server on the workstation(s). i.e.
192.168.0.2 www.bla.com
(Note the use of an INTERNAL IP Address).
2) You can use SNAT (Source NAT) and DNAT (Destination NAT) to adjust the rules in
IPTables. Basically, the problem comes down to the web server being on the same
network, but thinking it must send responses through NAT to get back to your
workstation. Using SNAT and DNAT you can modify this behaviour. However, this is not
a simple thing to grasp (I had help to get mine setup, but couldn't recreate it if I
wanted to - not without a LOT of research). Others on the list might be able to help
you with this. (I now use IPCop for my router, and the HOSTS fix)
My recommendation would be to do the HOSTS fix - it's simple to understand, and easy
to implement.
My thoughts, not yours....
Shawn
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Curtis Sloan
Sent: Wednesday, March 17, 2004 12:25 PM
To: CLUG General
Subject: Re: [clug-talk] Prerouting from internal network with NAT ..??
On Wed March 17 2004 11:49, Tomas Florian wrote:
> Hello,
>
> I have a masquerade setup on my router in the following way:
>
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
>
> Additionally I'm prerouting all of the http traffic to a second server
> (192.168.0.2) because that's where I have my apache running.
>
> $IPTABLES -t nat -A PREROUTING -i $EXTIF -p TCP --dport 80 -j DNAT --to
> 192.168.0.2:80
>
> This works great ... when I'm on the outside network I can get to my web
> server and all my internal clients have access to the internet.
>
> The problem is that when I'm on the internal network (192.168.0.x) and I'm
> trying to get to my web server let's say: www.bla.com which has public ip
> say: 139.142.1.100 the prerouting rule above does not work anymore.
I'm not sure why you would want to send a request to your external address
when you're on the internal network?
> It
> just looks for a web server running on the router machine which is not what
> I want. I suspect I know why it's doing it, but I'm not sure what the
> solution is ... or if there even is any. My understanding of NAT is that
> it is translating the addresses only in one direction, so the problem I'm
> having arises because I'm asking it to do NAT in the direction that it is
> not setup to work.
>
> My temporary solution is to go to the web server by typing
> http://192.168.0.2 but this is not what I want at all.
Put an entry in /etc/hosts: www.bla.com 192.168.0.2
> I also tried taking out the -i $EXTIF from my rule but that didn't help
> either:
> $IPTABLES -t nat -A PREROUTING -p TCP --dport 80 -j DNAT --to
> 192.168.0.2:80
>
> Any ideas anyone?
HTH,
Curtis
>
> Thanks,
> Tomas
>
>
>
>
> _______________________________________________
> clug-talk mailing list
> [EMAIL PROTECTED]
> http://clug.ca/mailman/listinfo/clug-talk_clug.ca
_______________________________________________
clug-talk mailing list
[EMAIL PROTECTED]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
_______________________________________________
clug-talk mailing list
[EMAIL PROTECTED]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
