Re: port forwarding
On Tue, 2 May 2006 04:34:13 +0300
Tsakiridis Antonis <firstname.lastname@example.org> wrote:
> I have a small LAN and want to allow access to an internal(no real ip, sorry
> ;-)) web server to Internet clients
> The gateway is using iptables v1.2.11(debian sarge)
> I have activated port forwarding, so that Internet traffic targeted at my
> gateway's port 80 is forwarded to the internal web server and works just fine.
> (To make things a bit clear:
> the Internet accesses the gateway through $INET_IP,
> the LAN accesses the gateway through $LAN_IP,
> the IP of the internal web server is $HTTPD_IP)
> What I also want, however, is to allow other LAN hosts have access to the same
> web server using the FQDN of the gateway(say http://mysite.dyndns.org). To do
> that correctly I must also SNAT LAN packets destined to $INET_IP of the
> iptables -t nat -A POSTROUTING -p TCP -i $LAN_IFACE -d $HTTPD_IP --dport 80 -j
> SNAT --to-source $LAN_IP
> Which gives me an error:
> iptables v1.2.11: Can't use -i with POSTROUTING
> Finally, I want to be able to contact the web server from the gateway through
> the FQDN as well. So I need to DNAT locally generated packets so that they
> are sent to the proper host:
> iptables -t nat -A OUTPUT -p TCP -d $INET_IP --dport 80 -j DNAT
> --to-destination $HTTPD_IP:80
> Which also gives me an error:
> iptables v1.2.7a: Invalid argument
> Firstly, I would really apreciate it if someone could tell me what is wrong
> with rules 2 and 3?
> Secondly, is there a way to achieve this functionality?
> p.s. These rules are taken from Oscar Andreasson's extensive discussion of
> DNAT target in his "Iptables Tutorial 1.2.0", section 11.3
> Thanks a lot in advance,
Take a look at the Iptables Tutorial written by Oskar Andreasson. When he talks about NAT, there's an example treating a problem very very similar to the one you have.
Miguel Da Silva.
Servicio de Informatica.
Facultad de Ciencias.