Re: port forwarding
Hello,
Tsakiridis Antonis a écrit :
I have a small LAN and want to allow access to an internal(no real ip, sorry
;-)) web server to Internet clients
The gateway is using iptables v1.2.11(debian sarge)
I have activated port forwarding, so that Internet traffic targeted at my
gateway's port 80 is forwarded to the internal web server and works just fine.
(To make things a bit clear:
the Internet accesses the gateway through $INET_IP,
the LAN accesses the gateway through $LAN_IP,
the IP of the internal web server is $HTTPD_IP)
What I also want, however, is to allow other LAN hosts have access to the same
web server using the FQDN of the gateway(say http://mysite.dyndns.org). To do
that correctly I must also SNAT LAN packets destined to $INET_IP of the
gateway:
iptables -t nat -A POSTROUTING -p TCP -i $LAN_IFACE -d $HTTPD_IP --dport 80 -j
SNAT --to-source $LAN_IP
Which gives me an error:
iptables v1.2.11: Can't use -i with POSTROUTING
The error message is quite clear : you can't specify an input interface
(-i) in a POSTROUTING chain but only an output interface (-o).
Finally, I want to be able to contact the web server from the gateway through
the FQDN as well. So I need to DNAT locally generated packets so that they
are sent to the proper host:
iptables -t nat -A OUTPUT -p TCP -d $INET_IP --dport 80 -j DNAT
--to-destination $HTTPD_IP:80
Which also gives me an error:
iptables v1.2.7a: Invalid argument
Huh ? Where does this v1.2.7a version come from ?
The syntax seems correct and works for me. If one of the shell variables
$INET_IP or $HTTPD_IP were wrong the error message would be more
explicit. The only thing I can think about which gives this kind of
error message is that your kernel may not support local NAT in the
OUTPOUT chain.
What is the kernel version ? Is it a Debian kernel image or a custom
kernel you compiled yourself ?
If the version is between 2.4.19 and 2.4.28 (inclusive), was the kernel
compiled with the option CONFIG_IP_NF_NAT_LOCAL=y (search in
/boot/config-<version>) ?
Secondly, is there a way to achieve this functionality?
An alternate way is to use some kind of "split DNS" : a local DNS server
or proxy used by the local hosts would resolve the FQDN to the server's
private address.
Reply to: