[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: NAT iptables routing issue

On 8 Jul 2004, Caveman wrote:
> I have a slight problem I am not sure how to get around.
> Firstly let me draw you a picture. I have computer 'A' which is directly
> connected to the internet and is the ONLY computer to have a internet IP. 
> It routes (via nat ) traffic from clients on the lan to the internet etc.
> Now on box 'B' I have a webserver running and I have forwarded (using 
> prerouting) port 80 to box 'B''s LOCAL IP. This works fine for people outside
> my network (IE, the internet) but I cant access the webserve by using the 
> internet IP from the lan, its never been a big issue, but i have finally 
> decided that I need to work out how to fix this.
> Any ideas ? 

Sure, you have hit one of the classic problems in NAT work: you can't
just DNAT onto the same physical Ethernet segment.

Basically, you send a packet from your IP to the public webserevr IP,
which lives on the firewall.

The firewall then changes the *destination* to the internal, private
webserver IP, and puts that packet onto the Ethernet. The *source* is
your workstation.

The internal webserver then gets the packet, and gets a reply ready.
To send that it grabs the *source* IP from your packet -- the

It then checks the routing table, finds that IP is on the same network
segment, and sends the response packet directly to you workstation --
from the internal IP.

Your workstation, of course, was not talking to the internal IP but the
external one, so it knows nothing of this strange reply packet it was
sent. So, correctly, it responds with "invalid, tear down the
connection" to the internal web server, and viola, no connection.

> The below code is my NAT and prerouting stuff i have setup. I know
> that the postrouting rule i have now is whats causing the issue, but I
> am unsure as to how I should get around this.

Basically, for NAT to work the packets have to pass through the NAT
device in *both* directions.

The easiest way to get this working is to not pass through the NAT in
either direction, by using an internal DNS server or hosts file entry or
something on the workstation.

If you can't, or don't want to, do that, then you need to make sure the
packet goes through the firewall in both directions, so you need to SNAT
any packet from an internal address to the public IP, so that the packet
is returned to the firewall.

That way the firewall correctly changes back both the source and
destination address, and your connection works.

Honestly, though, editing the hosts file is *so* much easier. :)

When you stop learning, stop listening, stop looking and asking
questions, always new questions, then it is time to die.
        -- Lillian Smith

Reply to: