|
Greetings, this is an issue I've been struggling with for months now, didn't even make small headway . Scheme : LAN----Linux_X86_ROUTER----INTERNET , so far, very simple. I have a PPTP server that's on the LAN, and has a LAN IP address (only) . The Router is forwarding GRE and TCP port 1723 to that PPTP server, the router is using Netfilter/IPtables. The same issue, which I'll describe pretty soon, Happens with a phone system ( Asterisk) , that's on the LAN, which only has a LAN address, as well. And has UDP and TCP port 5060 forwarded to it , by the same router. Here is the syntax that I used in order to forward the ports, I'll only note one of the cases, the same applies to all other DNAT cases : iptables -t nat -A PREROUTING -p tcp -i eth0 –dport 1723 -j DNAT –to-destination 10.12.35.8 >> DNAT's tcp:1723 to 10.12.35.8 iptables -A FORWARD -p tcp -d 10.12.35.8 –dport 1723 -j ACCEPT >> allows the forwarding action listed above . the forwarding works great, and I have phones and other PC's PPTP'ing and registering phones to my LAN from the wild . BUT !! The problem is with my LAN hosts, that, once the forwarding rules are applied, they are unable to use those services, if their destination host is outside of my LAN. Example :if I'll PPTP VPN with one of my LAN host to an outside address, it will actually VPN to my LAN PPTP server. This is understandable, due to the fact that the router will forward all traffic as it's commanded to, and it knows that all tcp:1723 and GRE go to host 10.12.35.8 ( same will be with SIP) . I have tried numerous “tricks”, using the WAN interface name instead of just “eth0” is one example, The other ones would be only forwarding “SYN” packets to the inside host - but oh well, the LAN hosts also send SYN. Excluding the LAN source address with the “ ! “ directive - I really expected that to work = still no go. I'm hitting a wall, it's either hosts from the wild able to access the services on my LAN, or, my LAN hosts able to get to the world and use those service, cannot get both to work at the same time. If someone got this same feature to work on his router, their help would be greatly appreciated. Thank you, Guy |
_______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
