Re: NAT iptables routing issue

To: Debian Firewall - LIST <debian-firewall@lists.debian.org>
Subject: Re: NAT iptables routing issue
From: deb list <deb@newproject.pl>
Date: Thu, 08 Jul 2004 19:42:18 +0200
Message-id: <[🔎] 1089308537.4411.44.camel@localhost>
In-reply-to: <[🔎] 87zn6aboic.fsf@enki.rimspace.net>
References: <[🔎] 200407082213.23701.biocorporation-1@optusnet.com.au> <[🔎] 87zn6aboic.fsf@enki.rimspace.net>

Quite right..

On Thu, 2004-07-08 at 15:46, Daniel Pittman wrote:
> On 8 Jul 2004, Caveman wrote:
> > I have a slight problem I am not sure how to get around.
> > Firstly let me draw you a picture. I have computer 'A' which is directly
> > connected to the internet and is the ONLY computer to have a internet IP. 
> > It routes (via nat ) traffic from clients on the lan to the internet etc.
> >
> > Now on box 'B' I have a webserver running and I have forwarded (using 
> > prerouting) port 80 to box 'B''s LOCAL IP. This works fine for people outside
> > my network (IE, the internet) but I cant access the webserve by using the 
> > internet IP from the lan, its never been a big issue, but i have finally 
> > decided that I need to work out how to fix this.
> >
> > Any ideas ? 
> 
> Sure, you have hit one of the classic problems in NAT work: you can't
> just DNAT onto the same physical Ethernet segment.
> 
> Basically, you send a packet from your IP to the public webserevr IP,
> which lives on the firewall.
> 
> The firewall then changes the *destination* to the internal, private
> webserver IP, and puts that packet onto the Ethernet. The *source* is
> your workstation.
> 
> The internal webserver then gets the packet, and gets a reply ready.
> To send that it grabs the *source* IP from your packet -- the
> workstation.
> 
> It then checks the routing table, finds that IP is on the same network
> segment, and sends the response packet directly to you workstation --
> from the internal IP.
> 
> Your workstation, of course, was not talking to the internal IP but the
> external one, so it knows nothing of this strange reply packet it was
> sent. So, correctly, it responds with "invalid, tear down the
> connection" to the internal web server, and viola, no connection.
> 
> > The below code is my NAT and prerouting stuff i have setup. I know
> > that the postrouting rule i have now is whats causing the issue, but I
> > am unsure as to how I should get around this.
> 
> Basically, for NAT to work the packets have to pass through the NAT
> device in *both* directions.
> 
> The easiest way to get this working is to not pass through the NAT in
> either direction, by using an internal DNS server or hosts file entry or
> something on the workstation.

Have a look at dnsmasq.. It uses /etc/hosts to allow you to serve the
internal ip number rather than the external number..
Very easy to install and use..
Just make a REDIRECT rule rule in nat PREROUTING or adjust everyone's
dns spec to the firewall ip address.
(Don't let it listen on the internet connection...)
http://thekelleys.org.uk/dnsmasq/doc.html

> 
> If you can't, or don't want to, do that, then you need to make sure the
> packet goes through the firewall in both directions, so you need to SNAT
> any packet from an internal address to the public IP, so that the packet
> is returned to the firewall.
> 
> That way the firewall correctly changes back both the source and
> destination address, and your connection works.
> 
> Honestly, though, editing the hosts file is *so* much easier. :)

AMEN to that...

> 
>           Daniel
> --

Regards,
Peter

Reply to:

References:
- NAT iptables routing issue
  - From: Caveman <biocorporation-1@optusnet.com.au>
- Re: NAT iptables routing issue
  - From: Daniel Pittman <daniel@rimspace.net>

Prev by Date: Virus no seu email (Expresso24 Sa)
Next by Date: Re: NAT iptables routing issue, flamewar solution.
Previous by thread: Re: NAT iptables routing issue
Next by thread: Re: NAT iptables routing issue, flamewar solution.
Index(es):
- Date
- Thread