[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: port forwarding



Miguel Da Silva wrote:
> On Tue, 2 May 2006 04:34:13 +0300
> Tsakiridis Antonis <atsakir@freemail.gr> wrote:
> 
> 
>>I have a small LAN and want to allow access to an internal(no real ip, sorry 
>>;-)) web server to Internet clients
>>
>>The gateway is using iptables v1.2.11(debian sarge)
>>
>>I have activated port forwarding, so that Internet traffic targeted at my 
>>gateway's port 80 is forwarded to the internal web server and works just fine.
>>
>>(To make things a bit clear: 
>>the Internet accesses the gateway through $INET_IP, 
>>the LAN accesses the gateway through $LAN_IP, 
>>the IP of the internal web server is $HTTPD_IP)

So, if I understand this right your http server and your LAN hosts are
all on the same network.  You don't have a DMZ.  If that's right then
below is my best (untested) guess.

>>
>>What I also want, however, is to allow other LAN hosts have access to the same 
>>web server using the FQDN of the gateway(say http://mysite.dyndns.org). To do 
>>that correctly I must also SNAT LAN packets destined to $INET_IP of the 
>>gateway:
>>
>>iptables -t nat -A POSTROUTING -p TCP -i $LAN_IFACE -d $HTTPD_IP --dport 80 -j 
>>SNAT --to-source $LAN_IP
>>
>>Which gives me an error: 
>>	iptables v1.2.11: Can't use -i with POSTROUTING


I think what you want here, instead of POSTROUTING and SNAT, is
PREROUTING and DNAT, i.e.

$IPTABLES -t nat -A PREROUTING -p tcp -i $LAN_IFACE -d $INET_IP --dport
80 -j DNAT --to-destination $HTTPD_IP

Then you need a FORWARD rule to allow the now DNAT'd packets to be
forwarded to your web server's LAN IP.  Something like this...

$IPTABLES -A FORWARD -i $LAN_IFACE -o $LAN_IFACE -p tcp -d $INET_IP
--dport 80:80 -j ACCEPT

I haven't tested this, and it seems a bit wierd since the DNAT'd packets
will have source and destination in the same network (your LAN network),
and will be routed in and then back out the same interface.  It would
not surprise me if such packets would be considered INVALID by the
following rule if you have it.

$IPTABLES -A FORWARD -m state --state INVALID -j DROP

There are three other options I can see to what you're doing.

1.  Put a 3rd NIC in your gateway and set up a DMZ for your web server
to live in.  This way if your web server gets hacked your internal LAN
is still protected.

or

2.  Set up BIND on your gateway with split DNS views so that when your
LAN hosts do a lookup on www.yourdomain.com they get the internal IP of
your http server.

or

3.  Plug the internal LAN IP of your http server into the hosts files of
your LAN hosts.

If it were me I'd do both 1 and 2 above.

Hope that helps.



Reply to: