Re: [long] NAT & port forwarding iptables problem
> I think the problem is that your workstation on a 10.x.x.x
> connects to the firewall, which NATs the packet
> and reroutes it to a webserver on a 10.x.x.x network.
> Unfortunately for you, the workstation and the
> webserver are on the same network.
> Juno = 10.120
> webserver = 10.107
> firewall = 10.101
> juno: connect to firewall (10.120 --> 10.101)
> firewall: dnat to www (10.120 --> 10.107)
> juno: waiting for a packet back from firewall --over
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Yes!!!
Of course!
I forgot that the client (in the internal LAN) would expect
an answer from the firewall, and not from the other host!
> www: response packets (10.107 --> 10.120)
> juno: what are these packets from www?!? I'm dropping them
> juno: waiting for a packet back from firewall --over
Exactly! I hadn't seen that!
> The problem is that www is not routing the packets back from
> Whence they came, thus allowing the firewall
> to un-DNAT them.
> - What you need is to both DNAT and SNAT a packet, but
> I don't know if you can do both at once.
I just found a solution -- now that I know what's wrong, I figured
out how to fix it:
$IPTABLES -t nat -A POSTROUTING
-s $INT_IP -j SNAT --to $HOSTIP
Without the "-o $IFACE" will do the trick. (I was doing NAT on
the external interface only! Removing the interface from the
NAT rule solved it!)
Thanks a lot for your help!
J.
Reply to: