You were exactly correct.
Thank you!
In summary:
I have iptables masquerading my internal (10.0.0.x) LAN to the internet:
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Then I bring port 80 through to my internal server:
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 \
-i eth1 -j DNAT --to 10.0.0.55:80
Then I (follow advice and) DNAT my internal connection if it resolves to the
external IP.
iptables -t nat -A PREROUTING -p tcp -i internal_interface \
-d external_ip_address --dport 80 -j DNAT --to 10.0.0.55:80
Then I SNAT the packet to force the Web Server to reply to the router:
iptables -t nat -A POSTROUTING -d 10.0.0.55 \
-s 10.0.0.0/255.255.255.0 -p tcp\
--dport 80 -j SNAT --to 10.0.0.100
And my internal users can see my internal Web Server using the external IP
address/DNS.
Thank you again Andrew,
Bob Boucneau
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Andrew Greenburg
Sent: Tuesday, February 19, 2002 9:09 AM
To: [EMAIL PROTECTED]
Subject: RE: Internal traffic to internal Web Server
At 02:27 PM 2/15/2002 -0700, you wrote:
>Hi,
>
>This is the part that works... :-) ...and all that is running right now.
>
>Internet is on eth1, Intranet is on eth0
Does your external address always resolve to the same IP?
It looks to me like you need to add a rule of the type
iptables -t nat -A PREROUTING -p protocol -i internal_interface \
-d external_ip_address --dport port -j DNAT --to internal_ip_address:port
for each of the services you want accessible from the internal network.
Then you will still need the
iptables -t nat -A POSTROUTING -d 10.0.0.55 \
-s 10.0.0.0/255.255.255.0 -p tcp\
--dport 80 -j SNAT --to 10.0.0.100
command in your POSTROUTING chain.
--
Andrew M. Greenburg | agreenbu @ in-span . net
Systems Engineer | (317)234-1001 (317)234-1328
Indiana Web Academy | Phone Fax
