[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Port forwarding and local firewall connections

On 2007-07-12 Marco wrote:
> On Thu, 12 Jul 2007 14:48:37 +0200, Ansgar -59cobalt- Wiechers wrote:
>> Then do NAT for that interface. To repeat myself: you don't need NAT
>> for connections between your two private networks. Stop using NAT
>> there, and your problem is solved.
> 
> Maybe I don't understand this, but if I don't use NAT there from the
> internet I can't connect to the webserver. With this rule commented:
> 
> iptables -t nat -A PREROUTING -i ! $DMZIF -p tcp --dport 80
> -j DNAT --to 192.168.10.2
> 
> everything works from LAN, but not from internet. Firewall has a
> public IP address and it's accepting connections from internet and
> LAN.

If you comment that rule out, you don't make NAT at all. That's not what
you want. You want a NAT rule for internet traffic only, e.g. like this:

iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 \
  -j DNAT --to 192.168.10.2

With $EXTIF being your firewall's external (Internet) interface.

Regards
Ansgar Wiechers
-- 
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html
Reply to: