It's not a bug, it is more like how it's implemented in Linux (and I
think in other unix'es too).... You can simply use the transparant-dnat
plugin to fix this. You can grab it from:
http://rocky.eld.leidenuniv.nl/iptables-firewall/plugins/transparent-dnat/
Arno
Debian Bug Tracking System wrote:
Your message dated Thu, 13 Sep 2007 20:01:39 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Bug#442022: Internal network can't access internal server
accessed via external ip
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
------------------------------------------------------------------------
Subject:
Internal network can't access internal server accessed via external ip
From:
Ognyan Kulev <[EMAIL PROTECTED]>
Date:
Wed, 12 Sep 2007 18:31:48 +0300
To:
[EMAIL PROTECTED]
To:
[EMAIL PROTECTED]
Package: arno-iptables-firewall
Version: 1.8.8.c-1
When the package is used as gateway for internal network and some
servers should be visible from outside, there is a problem with
accessing these servers from inside (when external ip is used). Let's
suppose port 80 is forwarded to internal server 192.168.0.2, internal
gateway is 192.168.0.1, and external ip of the gateway is 1.2.3.4.
DC_OPEN_TCP has 80, and NAT_TCP_FORWARD is used to forward port 80 to
192.168.0.2. (BTW it's good if the relationship between these
variables is written.) Hosts in internal network can't access this
server via external ip 1.2.3.4. The situation is described in
http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-10.html .
What I use to solve this problem is the following plugin:
iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j DNAT
--to 192.168.0.2
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 192.168.0.2 -p tcp
--dport 80 -j SNAT --to 1.2.3.4
I think such hand-written iptables should not be needed.
Regards,
Ognyan Kulev
------------------------------------------------------------------------
Subject:
Re: Bug#442022: Internal network can't access internal server accessed
via external ip
From:
Michael Hanke <[EMAIL PROTECTED]>
Date:
Thu, 13 Sep 2007 20:01:39 +0200
To:
Ognyan Kulev <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
To:
Ognyan Kulev <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Package: arno-iptables-firewall
Version: 1.8.8.i-1
Hi,
I asked upstream about this issue and he considers this a feature and
not a bug. ;)
Anyway, what you want to do (and are doing already) is implemented as
the 'transparent DNAT' plugin that was added in version 1.8.8.i, which
is in lenny already. Therefore I'm closing this bug now.
Thanks for reporting this,
Michael
--
Arno van Amersfoort - E-mail: [EMAIL PROTECTED]
~ 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 is just a number! ~
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
