Re: [plug] iptables dilemma

gari Sun, 22 May 2005 06:33:51 -0700

Hi Mark. 

I guess your server is trying to reply back directly to the requesting machine.
Try SNAT. Just add this line after your PREROUTING rule:


    iptables -t nat -A POSTROUTING -d 192.168.0.253 -s 192.168.1.0/24 -p tcp -j
SNAT --to <your NAT box's internal IP>

For more info please read:
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html

If faced with the same requirement (port forwarding to an internal machine), I
prefer the solution suggested on the third paragraph so that all connections
from the internal network to the server are made directly. That is what they
call split horizon dns scheme using views. To know more on about this, see the
views configuration directive from the Bind Administrator's Reference Manual -
http://melecio.org/filebank/bind9arm.pdf (sorry, I cant find the original
document at isc.org)

HTH.

Gari


Quoting Mark Quitoriano <[EMAIL PROTECTED]>:

> hi im having a dilemma in iptables im forwarding one ip address from
> firewall to an internal server(with internal ip).  The scripts worked
> fine you can access the server from outside of the network but when i
> try to access the server from inside i can't connect to the server.
> 
> here's a diagram:
> ________               ________                ______________
> | internet | ------------- | firewall | ---------------| web/mail server |
> --------------               --------------               
> -------------------------
>                                    |
>                           ___________
>                           | workstation |
>                           -------------------
> 
> 
> here's the syntax i add for forwading the public ip to an internal
> ip(192.168.0.253):
> iptables -t nat -A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -j DNAT --to
> 192.168.0.253
> 
> 
> 
> when i try to browse my server from the internal workstation i always
> get timeout and even if i tried to telnet port 25 same thing happened.
> --
> Philippine Linux Users' Group (PLUG) Mailing List
> plug@lists.q-linux.com (#PLUG @ irc.free.net.ph)
> Official Website: http://plug.linux.org.ph
> Searchable Archives: http://marc.free.net.ph
> .
> To leave, go to http://lists.q-linux.com/mailman/listinfo/plug
> .
> Are you a Linux newbie? To join the newbie list, go to
> http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
> 




-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

--
Philippine Linux Users' Group (PLUG) Mailing List
plug@lists.q-linux.com (#PLUG @ irc.free.net.ph)
Official Website: http://plug.linux.org.ph
Searchable Archives: http://marc.free.net.ph
.
To leave, go to http://lists.q-linux.com/mailman/listinfo/plug
.
Are you a Linux newbie? To join the newbie list, go to
http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie

Re: [plug] iptables dilemma

Reply via email to