[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: port forwarding

On Tue, 2 May 2006 04:34:13 +0300
Tsakiridis Antonis <atsakir@freemail.gr> wrote:

> I have a small LAN and want to allow access to an internal(no real ip, sorry 
> ;-)) web server to Internet clients
> The gateway is using iptables v1.2.11(debian sarge)
> I have activated port forwarding, so that Internet traffic targeted at my 
> gateway's port 80 is forwarded to the internal web server and works just fine.
> (To make things a bit clear: 
> the Internet accesses the gateway through $INET_IP, 
> the LAN accesses the gateway through $LAN_IP, 
> the IP of the internal web server is $HTTPD_IP)
> What I also want, however, is to allow other LAN hosts have access to the same 
> web server using the FQDN of the gateway(say http://mysite.dyndns.org). To do 
> that correctly I must also SNAT LAN packets destined to $INET_IP of the 
> gateway:
> iptables -t nat -A POSTROUTING -p TCP -i $LAN_IFACE -d $HTTPD_IP --dport 80 -j 
> SNAT --to-source $LAN_IP
> Which gives me an error: 
> 	iptables v1.2.11: Can't use -i with POSTROUTING
> Finally, I want to be able to contact the web server from the gateway through 
> the FQDN as well. So I need to DNAT locally generated packets so that they 
> are sent to the proper host:
> iptables -t nat -A OUTPUT -p TCP -d $INET_IP --dport 80 -j DNAT 
> --to-destination $HTTPD_IP:80
> Which also gives me an error:
> 	iptables v1.2.7a: Invalid argument
> Firstly, I would really apreciate it if someone could tell me what is wrong 
> with rules 2 and 3? 
> Secondly, is there a way to achieve this functionality?
> p.s. These rules are taken from Oscar Andreasson's extensive discussion of 
> DNAT target in his "Iptables Tutorial 1.2.0", section 11.3 
> (http://iptables-tutorial.frozentux.net/iptables-tutorial.html).
> Thanks a lot in advance, 
> Antonis

Take a look at the Iptables Tutorial written by Oskar Andreasson. When he talks about NAT, there's an example treating a problem very very similar to the one you have.


Miguel Da Silva.
Servicio de Informatica.
Facultad de Ciencias.

Reply to: