Miguel Da Silva wrote: > On Tue, 2 May 2006 04:34:13 +0300 > Tsakiridis Antonis <[EMAIL PROTECTED]> wrote: > > >>I have a small LAN and want to allow access to an internal(no real ip, sorry >>;-)) web server to Internet clients >> >>The gateway is using iptables v1.2.11(debian sarge) >> >>I have activated port forwarding, so that Internet traffic targeted at my >>gateway's port 80 is forwarded to the internal web server and works just fine. >> >>(To make things a bit clear: >>the Internet accesses the gateway through $INET_IP, >>the LAN accesses the gateway through $LAN_IP, >>the IP of the internal web server is $HTTPD_IP)
So, if I understand this right your http server and your LAN hosts are all on the same network. You don't have a DMZ. If that's right then below is my best (untested) guess. >> >>What I also want, however, is to allow other LAN hosts have access to the >>same >>web server using the FQDN of the gateway(say http://mysite.dyndns.org). To do >>that correctly I must also SNAT LAN packets destined to $INET_IP of the >>gateway: >> >>iptables -t nat -A POSTROUTING -p TCP -i $LAN_IFACE -d $HTTPD_IP --dport 80 >>-j >>SNAT --to-source $LAN_IP >> >>Which gives me an error: >> iptables v1.2.11: Can't use -i with POSTROUTING I think what you want here, instead of POSTROUTING and SNAT, is PREROUTING and DNAT, i.e. $IPTABLES -t nat -A PREROUTING -p tcp -i $LAN_IFACE -d $INET_IP --dport 80 -j DNAT --to-destination $HTTPD_IP Then you need a FORWARD rule to allow the now DNAT'd packets to be forwarded to your web server's LAN IP. Something like this... $IPTABLES -A FORWARD -i $LAN_IFACE -o $LAN_IFACE -p tcp -d $INET_IP --dport 80:80 -j ACCEPT I haven't tested this, and it seems a bit wierd since the DNAT'd packets will have source and destination in the same network (your LAN network), and will be routed in and then back out the same interface. It would not surprise me if such packets would be considered INVALID by the following rule if you have it. $IPTABLES -A FORWARD -m state --state INVALID -j DROP There are three other options I can see to what you're doing. 1. Put a 3rd NIC in your gateway and set up a DMZ for your web server to live in. This way if your web server gets hacked your internal LAN is still protected. or 2. Set up BIND on your gateway with split DNS views so that when your LAN hosts do a lookup on www.yourdomain.com they get the internal IP of your http server. or 3. Plug the internal LAN IP of your http server into the hosts files of your LAN hosts. If it were me I'd do both 1 and 2 above. Hope that helps. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
