Dans sa prose, Lothar Behrens nous ecrivait :
> I have configured my firewall to DNAT the following adresses to be
> forwarded to internal server.
> 217.5.155.20, 217.5.155.22
> On 217.5.155.22 you will see an apache server running on Windows On
> 217.5.155.20 you will see an apache server running on Linux 7.3
> If I try to connect to them from internal, I can't see these pages.
It's a very common issue.
When you try to connect to your DNATed addresses from the LAN, this is
what happens. Suppose A is LAN host, S DNATed server and G the gateway.
A sends SYN to 217.5.155.20 via G (defautl gateway)
G DNATs 217.5.155.20 to IP(S) and routes SYN to S
S recieve a SYN from A and replies SYN-ACK
For A is in the same subnet than S, S sends SYN-ACK directly to A, not
using G as gateway. Thus, SYN-ACK can't be deDNATed.
A recieve a SYN-ACK from S
For A waits for a SYN-ACK from 217.5.155.20, it drops S SYN-ACK and you
can't connect.
To make to whole thing work, you have to force S to reply through G for
S packets to A get deDNATed. The simpliest way to achieve this a to set a
SNAT rule on G, for LAN sourced connections to S :
iptables -t nat -A POSTROUTING -s <LAN> -d <IP(S)> -j SNAT \
--to <IP(G) on LAN>
Do it for both 217.5.155.20 and 217.5.155.22 DNAT targets and you're done.
--
Usenet: lisez bourré, postez déchirés.
-+- LC in <http://neuneu.mine.nu> : Le postage sans peine. -+-
|
Similar Threads
Linear Mode
