First off, please reply to me since for some reason I can't subscribe to
the list. Thanks.
I'm noticing some behavior that I think might be caused by NAT confusion
(or probably my confusion). Here's my setup:
machine1 with 2 eth interfaces running pppoe and iptables
-RedHat 7.2
-Kernel 2.4.18
machine2 with 1 eth interface running ssh
-RedHat 7.2
machine3 with 1 eth interface running apache
-RedHat 7.2
Here's what my connections look like. (1.2.3.4 is my real external IP)
1.2.3.4 192.168.1.1 192.168.1.2
*Internet*-------machine1-----------hub-----------machine2
|
| 192.168.1.3
+------------machine3
machine1 does masquerading to allow all machines behind it external
access by doing:
/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o
ppp0 -j MASQUERADE
machine1 also needs to do DNAT to allow external connections to machine2
for ssh and machine3 for apache by doing:
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 22 -d 1.2.3.4 -j DNAT
--to 192.168.1.2
/sbin/iptables -t nat -A PREROUTING -p udp --dport 22 -d 1.2.3.4 -j DNAT
--to 192.168.1.2
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -d 1.2.3.4 -j DNAT
--to 192.168.1.3
/sbin/iptables -t nat -A PREROUTING -p udp --dport 80 -d 1.2.3.4 -j DNAT
--to 192.168.1.3
Here's the behavior I see. When an external host (i.e. 5.6.7.8) tries to
access either ssh or web on my ip (1.2.3.4), everything works dandy.
When any internal host (say 192.168.1.2) tries to access these services
via my external ip (i.e., lynx 1.2.3.4) the attempt times out. I've
tried by putting the DNAT rules first followed by the MASQUERADE rules
and vice versa to no avail.
I've added in logging before the DNAT rules and MASQUERADE rules to see
what's happening and here's what I see. If from 192.168.1.2 I do a "lynx
www.iptables.org" I see a masqueraded connection. If from 192.168.1.2 I
do a "lynx 1.2.3.4" I see only a Web connection, no masquerade
connection.
Any suggestions? Thanks!
-Ti Leggett
[EMAIL PROTECTED]
