Thanks, works like a charm These are my full set of rules for anyone interested:
$IPTABLES -t nat -F $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE $IPTABLES -t nat -A PREROUTING -p TCP -d 139.142.1.100 --dport 80 -j DNAT --to 192.168.0.2:80 $IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -d 192.168.0.2 -j SNAT --to 192.168.0.1 One thing that was wrong with my original rule is that I didn't have -d 139.142.1.100 ... what happened as a result is that every client was redirected to 192.168.0.2 web page no matter what url they typed into the browser. Thanks again, Tomas -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Wade Dyck Sent: Wednesday, March 17, 2004 12:35 PM To: CLUG General Subject: Re: [clug-talk] Prerouting from internal network with NAT ..?? Hi Tomas, In the case where you removed the -i $EXTIF, the traffic flows from your workstation, to the router, and then to your apache server. The response however, is sent from your apache server directly to your workstation, bypassing your router because the source address is in the same subnet as apache. To fix this, add an SNAT rule so the source address is the router. $IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -d 192.168.0.2 -j SNAT --to 192.168.0.1 Hope that helps, Wade. On March 17, 2004 11:49 am, Tomas Florian wrote: > Hello, > > I have a masquerade setup on my router in the following way: > > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE > > Additionally I'm prerouting all of the http traffic to a second server > (192.168.0.2) because that's where I have my apache running. > > $IPTABLES -t nat -A PREROUTING -i $EXTIF -p TCP --dport 80 -j DNAT --to > 192.168.0.2:80 > > This works great ... when I'm on the outside network I can get to my web > server and all my internal clients have access to the internet. > > The problem is that when I'm on the internal network (192.168.0.x) and I'm > trying to get to my web server let's say: www.bla.com which has public ip > say: 139.142.1.100 the prerouting rule above does not work anymore. It > just looks for a web server running on the router machine which is not what > I want. I suspect I know why it's doing it, but I'm not sure what the > solution is ... or if there even is any. My understanding of NAT is that > it is translating the addresses only in one direction, so the problem I'm > having arises because I'm asking it to do NAT in the direction that it is > not setup to work. > > My temporary solution is to go to the web server by typing > http://192.168.0.2 but this is not what I want at all. > > I also tried taking out the -i $EXTIF from my rule but that didn't help > either: > $IPTABLES -t nat -A PREROUTING -p TCP --dport 80 -j DNAT --to > 192.168.0.2:80 > > Any ideas anyone? > > Thanks, > Tomas > > > > > _______________________________________________ > clug-talk mailing list > [EMAIL PROTECTED] > http://clug.ca/mailman/listinfo/clug-talk_clug.ca _______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca _______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
