Thank you for the explanation. By far much better than "think logically" as someone else puts it. You know if you think a questions is stupid, don't answer it.
Glover George Systems/Networks Administrator Gulf Sales & Supply, Inc. [EMAIL PROTECTED] (228)-762-0268 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Antony Stone Sent: Wednesday, June 12, 2002 10:16 AM To: [EMAIL PROTECTED] Subject: Re: Internal machines can't resolve external addresses On Wednesday 12 June 2002 4:07 pm, Glover George wrote: > Yes I've come across this problem MANY MANY times before, and would > appreciate it if someone could explain exactly why this doesn't work. > For instance. I have 3 machines, a firewall/nat (linux), a linux > webserver and a windows machine behind it. Now I am serving a website > that is on the webserver behind the firewall, and it's dns stuff is > somewhere out on the internet. On my windows machine it resolves to the > public interface of the firewall. Why doesn't packets destined for that > machine realize that they must be sent to the webserver instead of out > on the public interface? They do. The problem is the reply packets. Your windows machine has a local network address. It tries to contact the public address of the webserver, goes through the firewall (default route), gets DNATted to the private address of the webserver... so far no problem. Then the webserver replies to the local address of the windows machine - ooh, it's local, therefore it doesn't have to go through the firewall, therefore it doesn't get reverse NATted by netfilter. So your windows machine contact a public address and gets a reply from a local machine. Doesn't like it, therefore no connection. Hope this helps. Antony.
