On Tuesday 23 January 2007 14:51, Andrew Jorgensen wrote: > On 1/23/07, Nicholas Leippe <[EMAIL PROTECTED]> wrote: > > You'll need both a DNAT and a SNAT rule if you don't want to do an > > internal zone in your DNS. See: > > > > http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html > > Thanks for this, Nicholas, I think it's almost what I'm looking for > but if I'm reading it correctly the example is just forwarding the lan > port 80 to the internal web server as well. I want it to do that only > if the destination address is the external address.
The first part of the example does exactly this--it DNATs anything destined to tcp 1.2.3.4:80 back to 192.168.1.1. The key is the second, SNAT rule, that forces the reply to travel back through the firewall. > > I suppose one of my problems is going to be that I don't know my > external address until after dhcp is up, but it wouldn't be a big deal > to have something run as a dhcp change hook. Yes, it is easier if you have a static ip. There is also another way to do it, without having all of the traffic go through the firewall--only the one direction: 1) mark packets destined for tcp <your public ip>:80 in the mangle:PREROUTING table 2) add a routing rule to tell it to use a different table to route packets with the mark from (1) 3) add the new routing table that simply routes everything to the internal web server This method does not change the packets at all, and the respons packets are sent directly from the internal web server to the client. It still, however, requires you to know the external ip address. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
