Iptables -- Port Forwarding ??

Taking care of your Linux box.

Iptables -- Port Forwarding ??

Postby crazy_c » Wed Jun 02, 2004 4:47 pm

Assalam o Alaikum

i am using Slackware with IPTABLES latest version ..i have a webserver(192.168.0.3) inside my lan and i am forwarding my external traffic(say 213.130.x.x static IP) at 80 to my internal webserver at the same port

i use the following rule for it

$IPT -A FORWARD -p tcp -i ppp0 -d 192.168.0.3 --dport 80 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -i ppp0 -d 213.130.x.x --dport 80 -j DNAT --to 192.168.0.3


its working perfectly and forwarding all traffic 2 my internal IP of other internet users

but the problem is that i cant browse my website on internal server (192.168.0.3) from any other computer on LAN

can u guys tell me where am i doing wrong

Regards
Mudassir
crazy_c
Cadet
 
Posts: 2
Joined: Wed Jan 21, 2004 10:14 pm
WLM: mudassiranjum@hotmail.com
Yahoo Messenger: khiska_hoowa@yahoo.com

Postby crazy_c » Thu Jun 03, 2004 2:41 pm

Salaam again

Atlast it solved it

its not working caz according 2 Oskar Andreasson tutorial when packets come from lan this happens

===========Packet leaves $LAN_BOX to $INET_IP.

The packet reaches the firewall.

The packet gets DNAT'ed, and all other required actions are taken, however, the packet is not SNAT'ed, so the same source IP address is used on the packet.

The packet leaves the firewall and reaches the HTTP server.

The HTTP server tries to respond to the packet, and sees in the routing databases that the packet came from a local box on the same network, and hence tries to send the packet directly to the original source IP address (which now becomes the destination IP address).

The packet reaches the client, and the client gets confused since the return packet does not come from the host that it sent the original request to. Hence, the client drops the reply packet, and waits for the "real" reply.

===================


now what i enter following rule and its working perfectly



$IPT -t nat -A PREROUTING -p tcp -i eth1 -d <internet Ip> --dport 80 -j DNAT --to-destiantion <web-server-IP>

$IPT -t nat -A POSTROUTING -p ! icmp -o eth1 -d <web-server-IP> -j SNAT --to-dsource <Internet-IP>



Allah hafiz
crazy_c
Cadet
 
Posts: 2
Joined: Wed Jan 21, 2004 10:14 pm
WLM: mudassiranjum@hotmail.com
Yahoo Messenger: khiska_hoowa@yahoo.com


Return to “%s” Administration

Who is online

Users browsing this forum: No registered users and 1 guest

cron