[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [long] NAT & port forwarding iptables problem

>  I think the problem is that your workstation on a 10.x.x.x 
>  connects to the firewall, which NATs the packet
>  and reroutes it to a webserver on a 10.x.x.x network. 
>  Unfortunately for you, the workstation and the
>  webserver are on the same network. 

>  Juno = 10.120
>  webserver = 10.107
>  firewall = 10.101

>  juno: connect to firewall  (10.120 --> 10.101)
>  firewall: dnat to www (10.120 --> 10.107)
>  juno: waiting for a packet back from firewall --over

Of course!

I forgot that the client (in the internal LAN) would expect
an answer from the firewall, and not from the other host!

>  www: response packets (10.107 --> 10.120)
>  juno: what are these packets from www?!?  I'm dropping them
>  juno: waiting for a packet back from firewall --over

Exactly! I hadn't seen that!

>  The problem is that www is not routing the packets back from 
>  Whence they came, thus allowing the firewall
>  to un-DNAT them.
>  - What you need is to both DNAT and SNAT a packet, but
>    I don't know if you can do both at once. 

I just found a solution -- now that I know what's wrong, I figured
out how to fix it:

          -s $INT_IP -j SNAT --to $HOSTIP

Without the "-o $IFACE" will do the trick. (I was doing NAT on
the external interface only! Removing the interface from the
NAT rule solved it!)

Thanks a lot for your help!


Reply to: