[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: port forwarding


Tsakiridis Antonis a écrit :
I have a small LAN and want to allow access to an internal(no real ip, sorry ;-)) web server to Internet clients

The gateway is using iptables v1.2.11(debian sarge)

I have activated port forwarding, so that Internet traffic targeted at my gateway's port 80 is forwarded to the internal web server and works just fine.

(To make things a bit clear: the Internet accesses the gateway through $INET_IP, the LAN accesses the gateway through $LAN_IP, the IP of the internal web server is $HTTPD_IP)

What I also want, however, is to allow other LAN hosts have access to the same web server using the FQDN of the gateway(say http://mysite.dyndns.org). To do that correctly I must also SNAT LAN packets destined to $INET_IP of the gateway:

iptables -t nat -A POSTROUTING -p TCP -i $LAN_IFACE -d $HTTPD_IP --dport 80 -j SNAT --to-source $LAN_IP

Which gives me an error: iptables v1.2.11: Can't use -i with POSTROUTING

The error message is quite clear : you can't specify an input interface (-i) in a POSTROUTING chain but only an output interface (-o).

Finally, I want to be able to contact the web server from the gateway through the FQDN as well. So I need to DNAT locally generated packets so that they are sent to the proper host:

iptables -t nat -A OUTPUT -p TCP -d $INET_IP --dport 80 -j DNAT --to-destination $HTTPD_IP:80

Which also gives me an error:
	iptables v1.2.7a: Invalid argument

Huh ? Where does this v1.2.7a version come from ?

The syntax seems correct and works for me. If one of the shell variables $INET_IP or $HTTPD_IP were wrong the error message would be more explicit. The only thing I can think about which gives this kind of error message is that your kernel may not support local NAT in the OUTPOUT chain.

What is the kernel version ? Is it a Debian kernel image or a custom kernel you compiled yourself ? If the version is between 2.4.19 and 2.4.28 (inclusive), was the kernel compiled with the option CONFIG_IP_NF_NAT_LOCAL=y (search in /boot/config-<version>) ?

Secondly, is there a way to achieve this functionality?

An alternate way is to use some kind of "split DNS" : a local DNS server or proxy used by the local hosts would resolve the FQDN to the server's private address.

Reply to: