RE: [SLUG] Iptables and internal web servers redirected works, but what abou t the firewall itself..

Wed, 16 Jan 2002 13:25:02 -0800 

No. External hosts are fine as mentioned in the original post as "Outside
clients".
It's the firewall _itself_ that can't access the external IP address of
these servers...

Ext Clients (Works)
   |
   |
Firewall (Fails)
   |
  HUB
+--+--+
|     |
WWW   |
      |
  Int Clients (Works)

Firewall Int IP = 192.168.1.254
Website  Int IP = 192.168.1.1
Client   Int IP = 192.168.1.65

Everybody BUT the firewall and PING and browse the WWW server via the
external IP address but the firewall can't... The rule you supplied works
for external clients.

Hopefully I've explained it better here..

thanks,
George Vieira
Systems Manager
Citadel Computer Systems P/L
http://www.citadelcomputer.com.au


-----Original Message-----
From: Crossfire [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 17 2002 8:16 AM
To: George Vieira
Cc: '[EMAIL PROTECTED]'
Subject: Re: [SLUG] Iptables and internal web servers redirected works,
but what abou t the firewall itself..


George Vieira was once rumoured to have said:
> Hi all,
> 
> I have everything working sweet with IPtables but what I've noticed is
that
> the firewall itself can't ping/connect to the internal/NATed webservers...
> 
> Outside and Inside clients are routed / transalated back and forth OK but
> the firewall can't connect..
> 
> From my little diagram, I can only see that it can only be done at the
> OUTPUT(nat) chain and the PREROUTING(nat) chain on the internal nic
> interface
> 
> Does this sound right to people.. I don't want to knock my webserver
> down.....
> 
> iptables -A OUTPUT -t nat -d 203.x.x.x -j DNAT --to 192.168.1.1:80
> iptables -A PREROUTING -t nat -s 192.168.1.1:80 -i eth0 -j SNAT --to
> 203.x.x.x

Uh, this is much bogosity.

If you're trying to let external hosts connect to 192.168.1.1:80 by
communicating to 203.x.x.x, you want:

iptables -t nat -A PREROUTING -p tcp -d 203.x.x.x --dport 80 -j DNAT
--to-destination 192.168.1.1

the reverse rule is NOT necessary as NAT replies are dynamically
handled in iptables, even for static translations.

C.
-- 
--==============================================--
  Crossfire      | This email was brought to you
  [EMAIL PROTECTED] | on 100% Recycled Electrons
--==============================================--
-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Reply via email to