Consider - 172.16.2.10 sends web request to 12.34.56.78 source IP=172.16.2.10 dest IP=12.34.5.6.78 firewall NAT's IP source IP=172.16.2.10 dest IP=172.16.2.2 web server responds to request source IP=172.16.2.2 # NAT'ed server IP dest IP=172.16.2.10 # original client client receives packet with source IP of 172.16.2.2. But the client sent the request with a dest IP of 12.34.56.78. The client will reject the response packet, because the client never sent a request to 172.16.2.2. Usually the firewall has a corresponding SNAT rule to rewrite the internal IP of the server on the way out. This is not happening because your client is inside the firewall. Your internal clients should use the internal IP to connect, not the external IP. On 2002-04-30 11:46, Ryan White wrote: > > I have an external ip 12.34.56.78 NATed to 172.16.2.2 but when another > workstation behind the firewall tries to connect to 12.34.56.78 they are > unable to connect. Here is my little nat: > > $IPTABLES -I PREROUTING -p tcp -t nat -d 12.34.56.78 --dport 80 -j DNAT --to > 172.16.2.2:80 > $IPTABLES -I PREROUTING -p tcp -t nat -d 12.34.56.78 --dport 443 -j > DNAT --to 172.16.2.2:443 > $IPTABLES -I FORWARD -p tcp -i eth0 -d 172.16.3.6 -m state --state NEW -j > ACCEPT > $IPTABLES -I FORWARD -p tcp -o eth1 -d 12.34.56.78 -m state --state NEW -j > ACCEPT > > > What do I have to add to get an internal machine to access 12.34.56.78 > directly? > Some answers to obvious questions: > Forward NAT works I can connect from the outside to 12.34.56.78:80 > Internal access to the internal ip works, I can connect to 172.16.2.2:80 > > Thanks for your help. > > -Ryan > > > -- > To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > -- Jonathan Freiermuth Lead Systems Engineer jonf@voiceweb.net VoiceWeb Corporation ========================================================================= "Taking my gun away because I might shoot someone is like cutting my tongue out because I might yell `Fire!' in a crowded theater." -- Peter Venetoklis =========================================================================
Attachment:
pgpPoiljHM2ZQ.pgp
Description: PGP signature