2011/11/18 Guy Tetruashvyly <guy....@gmail.com> > Greetings, > this is an issue I've been struggling with for months now, didn't even > make small headway . > > Scheme : > LAN----Linux_X86_ROUTER----INTERNET , so far, very simple. > > I have a PPTP server that's on the LAN, and has a LAN IP address (only) . > The Router is forwarding GRE and TCP port 1723 to that PPTP server, the > router is using Netfilter/IPtables. > > The same issue, which I'll describe pretty soon, Happens with a phone > system ( Asterisk) , that's on the LAN, which only has a LAN address, as > well. > And has UDP and TCP port 5060 forwarded to it , by the same router. > > Here is the syntax that I used in order to forward the ports, I'll only > note one of the cases, the same applies to all other DNAT cases : > > iptables -t nat -A PREROUTING -p tcp -i eth0 –dport 1723 -j DNAT > –to-destination 10.12.35.8 >> DNAT's tcp:1723 to 10.12.35.8 > iptables -A FORWARD -p tcp -d 10.12.35.8 –dport 1723 -j ACCEPT >> > allows the forwarding action listed above . > > the forwarding works great, and I have phones and other PC's PPTP'ing and > registering phones to my LAN from the wild . > > BUT !! > > The problem is with my LAN hosts, that, once the forwarding rules are > applied, > they are unable to use those services, if their destination host is > outside of my LAN. > Example :if I'll PPTP VPN with one of my LAN host to an outside address, > it will actually VPN to my LAN PPTP server. > This is understandable, due to the fact that the router will forward all > traffic as it's commanded to, > and it knows that all tcp:1723 and GRE go to host 10.12.35.8 ( same will > be with SIP) . > > There is some info missing, so I am going to take a guess here, and please correct me if I'm wrong...
I understand from the NAT rule that you expect the traffic to come FROM eth0 - i.e. this is the interface connected to "INTERNET" (how? do you have an additional home/NAT router there?) - as otherwise it wouldn't do any NAT work for traffic coming form the WAN (as it didn't come from eth0)... So my question is this: If this is indeed the case, I would like you to first understand your following statement: "This is understandable, due to the fact that the router will forward all traffic as it's commanded to, and it knows that all tcp:1723 and GRE go to host 10.12.35.8 ( same will be with SIP) ." ...which you said about traffic, that as far as I understand, came FROM THE LAN, or in other words, _NOT_ FROM ETH0 - why would then an iptables rule with -i eth0 apply to such traffic? This is NOT understandable whatsoever (if I got all the facts you described right) - and needs an explanation. This is an obvious one, but I'll ask anyways: Any chance you have OTHER rules that may have caused this? HTH, -- Shimi
_______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
