[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Internal access for NAT

Consider - sends web request to
	source IP=
	  dest IP=

firewall NAT's IP
	source IP=
	  dest IP=

web server responds to request
	source IP=	# NAT'ed server IP
	  dest IP=	# original client

client receives packet with source IP of But the client
sent the request with a dest IP of The client will reject
the response packet, because the client never sent a request to

Usually the firewall has a corresponding SNAT rule to rewrite the
internal IP of the server on the way out. This is not happening because
your client is inside the firewall.

Your internal clients should use the internal IP to connect, not the
external IP.

On 2002-04-30 11:46, Ryan White wrote:
> I have an external ip NATed to but when another
> workstation behind the firewall tries to connect to they are
> unable to connect. Here is my little nat:
> $IPTABLES -I PREROUTING -p tcp -t nat -d --dport 80 -j DNAT --to
> $IPTABLES -I PREROUTING -p tcp -t nat -d --dport 443 -j
> DNAT --to
> $IPTABLES -I FORWARD -p tcp -i eth0 -d -m state --state NEW -j
> $IPTABLES -I FORWARD -p tcp -o eth1 -d -m state --state NEW -j
> What do I have to add to get an internal machine to access
> directly?
> Some answers to obvious questions:
> Forward NAT works I can connect from the outside to
> Internal access to the internal ip works, I can connect to
> Thanks for your help.
> -Ryan
> -- 
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Jonathan Freiermuth                                 Lead Systems Engineer
jonf@voiceweb.net                                    VoiceWeb Corporation

"Taking my gun away because I might shoot someone is like cutting my 
tongue out because I might yell `Fire!' in a crowded theater." 
-- Peter Venetoklis 

Attachment: pgpuQJHXxYfkS.pgp
Description: PGP signature

Reply to: