Mailing List Archive: PREROUTING problem

Hello,

Diego K. a écrit :
> Hello, I have the following problem
>
> LAN ---------------------------------Etch Linux
> Firewall-----------------------------------------------------Internet
> 10.1.x.x/16 | eth1:10.1.1.1 eth0:200.3.5.100
> |
> |
> |
> Server1: 10.1.1.50

[Beware of line wrapping]

> When I get a conection from the internet to 200.3.5.100:80, the ip
> forward works OK to server1, but when I try to connect to 200.3.5.100
> from the LAN its does not work, I know that i can connect to 10.1.1.50
> but I need from both IPs, private and public from the LAN

Well known routing problem. Replies from the server go directly back to
the client and arrive there with the wrong source address.

> I have the following config
>
> iptables -t nat -A PREROUTING -s 0/0 -p tcp -d 200.3.5.100 --dport 80
> -j DNAT --to 10.1.1.50:80
> iptables -A FORWARD -p tcp -d 10.1.1.50 --dport 80 -j ACCEPT

You must SNAT the connections coming from the LAN so the reply packets
go back to the firewall which puts back the correct source address.
Adding the following rule should do it :

iptables -t nat -A POSTROUTING -o eth1 -s 10.1.0.0/16 -d 10.1.1.50 \
-p tcp --dport 80 -j SNAT --to 10.1.1.1

Note that this will prevent the server from seeing the real source
address when a connection comes from the LAN using the public address.

Also make sure traffic in FORWARD from eth1 to eth1 is accepted.