On 6/27/05, Hans-Werner Hilse <[EMAIL PROTECTED]> wrote: > Hi, > > On Mon, 27 Jun 2005 11:20:53 -0400 > Travis Osterman <[EMAIL PROTECTED]> wrote: > > > I cut all port forwarding rules but port 80 and all mac filtering less > > one and commented as such to keep the length down. Thanks again for > > any suggestions. > > I'll comment below... > > > *nat > > # [...] > > # snipped other DNAT > > -A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination > > 192.168.1.20 > > -A PREROUTING -i ppp0 -p udp -m udp --dport 80 -j DNAT --to-destination > > 192.168.1.20 > > Never heard of http-via-udp... But the problem will show up here: > The PREROUTING should apply also for packets coming from eth1 (LAN). > Otherwise they'll hit the router's own tcp stack - where there's > supposedly no http and such the connection would be resetted. > > > The problem atm seems to be, pointed out: > > 1. both external clients and internal clients can correctly resolve > http://my-dynamic-name.no-ip.com to the ppp0's IP. > 2.a. external clients' requests hit the router coming from ppp0 > 2.b. internal clients' requests hit the router coming from eth1 > 3. nat/PREROUTING: > 3.a. The packets from 2.a. get rewritten to dst 192.168.1.20 > 3.b. The other ones don't get rewritten > 4. Routing is performed (filter/FORWARD, nat/POSTROUTING): > 4.a. The packets from 2.a. will get routed to 192.168.1.20 and leave > the router if allowed by nat/OUTPUT. (it is) WWW server does its job > then. > 4.b. The packets from 2.b. will hit the router's tcp stack if > allowed by filter/INPUT (it is). They'll get RSTed if there's no > open port 80. > > Well, and we have some more problems. Your actual POSTROUTING chain > only MASQUERADEs packets leaving through ppp0. With this, and the new > rules, www packets from the LAN would get destination rewritten on the > router and being routed there. The source address will still be set to > the original source address. So the router would answer to that > address. Problem here is the client: It expects an answer from the > router's IP. So the web server's reply gets dropped at the client. > > To overcome this, you can setup routing on the web server to generally > send packets via the router. I'd suggest placing it in a different > subnet, e.g. 192.168.3./24, and have the router use an address in that > range to. A little of a DMZ on the LAN wire (not suggested, but not > different from you current solution). > > To-Do: > > - on the webserver: configure address to 192.168.3.20 > - on the router: > - configure a second address for eth1 in /etc/conf.d/net (192.168.3.1 assumed > here) > - modify iptables settings: > > You need to insert a new rule like the ones above but also for "-i > eth1". You'll further need to specify "-d EXTERNAL_IP" (well, of course > with that IP instead) to not get all connections to a www port > rewritten to that destination. I'd suggest using a new chain for this > that you can flush in a script and just place a new rule there if the > IP changes. > > e.g. global skript on boot up: > > iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j DNAT > --to-destination 192.168.3.20 > iptables -t nat -N internalwww > iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j internalwww > > and e.g. in your dhcp-script: > > iptables -t nat -F internalwww > iptables -t nat -A internalwww -d $EXTERNAL_IP -j DNAT --to-destination > 192.168.3.20 > > > > -hwh > -- > [email protected] mailing list > >
I had to read your reply about seven times until I could really grasp everything you were saying. My only concern is that while this will work for my web server, it appears as though I would have to put all my service-providing machines on different subnets and have rules for each of them ... am I understanding that correctly? Also, sadly, my webserver is doubling as a samba server right now and I'm not overly optimistic that windows will see it on the different subnet. Is there a way to check and see is local traffic is (terminally) destined for ppp0 and set up a chain to filter by port and reroute that traffic to the appropriate lan computer? Could dnsmasq point my-dynamic-name.no-ip.com to the address of eth1 instead of ppp0 to make the routing easier (bypassing NAT)? I'm still really green at network design issues, but this is a fasinating problem to me. Thanks for your input so far. -- Travis -- [email protected] mailing list
