Quite right.. On Thu, 2004-07-08 at 15:46, Daniel Pittman wrote: > On 8 Jul 2004, Caveman wrote: > > I have a slight problem I am not sure how to get around. > > Firstly let me draw you a picture. I have computer 'A' which is directly > > connected to the internet and is the ONLY computer to have a internet IP. > > It routes (via nat ) traffic from clients on the lan to the internet etc. > > > > Now on box 'B' I have a webserver running and I have forwarded (using > > prerouting) port 80 to box 'B''s LOCAL IP. This works fine for people > > outside > > my network (IE, the internet) but I cant access the webserve by using the > > internet IP from the lan, its never been a big issue, but i have finally > > decided that I need to work out how to fix this. > > > > Any ideas ? > > Sure, you have hit one of the classic problems in NAT work: you can't > just DNAT onto the same physical Ethernet segment. > > Basically, you send a packet from your IP to the public webserevr IP, > which lives on the firewall. > > The firewall then changes the *destination* to the internal, private > webserver IP, and puts that packet onto the Ethernet. The *source* is > your workstation. > > The internal webserver then gets the packet, and gets a reply ready. > To send that it grabs the *source* IP from your packet -- the > workstation. > > It then checks the routing table, finds that IP is on the same network > segment, and sends the response packet directly to you workstation -- > from the internal IP. > > Your workstation, of course, was not talking to the internal IP but the > external one, so it knows nothing of this strange reply packet it was > sent. So, correctly, it responds with "invalid, tear down the > connection" to the internal web server, and viola, no connection. > > > The below code is my NAT and prerouting stuff i have setup. I know > > that the postrouting rule i have now is whats causing the issue, but I > > am unsure as to how I should get around this. > > Basically, for NAT to work the packets have to pass through the NAT > device in *both* directions. > > The easiest way to get this working is to not pass through the NAT in > either direction, by using an internal DNS server or hosts file entry or > something on the workstation.
Have a look at dnsmasq.. It uses /etc/hosts to allow you to serve the internal ip number rather than the external number.. Very easy to install and use.. Just make a REDIRECT rule rule in nat PREROUTING or adjust everyone's dns spec to the firewall ip address. (Don't let it listen on the internet connection...) http://thekelleys.org.uk/dnsmasq/doc.html > > If you can't, or don't want to, do that, then you need to make sure the > packet goes through the firewall in both directions, so you need to SNAT > any packet from an internal address to the public IP, so that the packet > is returned to the firewall. > > That way the firewall correctly changes back both the source and > destination address, and your connection works. > > Honestly, though, editing the hosts file is *so* much easier. :) AMEN to that... > > Daniel > -- Regards, Peter
