NAT tweaking

jbpros · Posted: Wed Jul 07, 2004 5:16 pm Post subject: NAT tweaking

Hi people!

I've just finished reconfiguring my LAN with a dedicated gentoo router, a dedicated gentoo server and several stations. LAN has got access to the Internet through the router, DNS, DHCP and all those stuffs seem to work nicely.

I've setup a jabber and http servers on the gentoo server (10.0.2.150) and used iptables forwarding rules to allow "internet to local server" access. There is only one thing I can't manage: I would like my LAN boxes to have access to the server through the public interface of my router. Here is a little representation:

1. Normal internal http connection from a local box to the HTTP server:
[LANBOX/10.0.2.12]<---->[SERVER/10.0.2.150:80]

2. Normal external http connection from the internet to my local server:
[INTERNET/195.238.12.45]<---->[212.124.23.12:80/ROUTER/10.0.2.253]<---->[SERVER/10.0.2.150:80]

3. What I'm willing to do:
[LANBOX/10.0.2.12]<---->[212.124.23.12:80/ROUTER/10.0.2.253]<---->[10.0.2.150:80/SERVER]

I'm learning iptables for some weeks now and understood a good number of basic concepts of the kernel IP stack but there I'm stuck.. I'm sure it's easy to implement though

Here is my iptables script:

moocha · Watchman Joined: 21 Oct 2003 Posts: 5722

The LAN boxes will always connect directly to the server because they're on the same subnet and thus have a net route to the server. In addition to the iptables rules you need to also locally add a host route on each of the LAN boxes telling them that the route to 10.0.2.150 is via 212.124.23.12. Under *nix do it with /sbin/route. Under Windows do it with route.exe.
_________________
Military Commissions Act of 2006: http://tinyurl.com/jrcto

"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."
-- attributed to Benjamin Franklin

jbpros · Posted: Wed Jul 07, 2004 10:30 pm Post subject:

I'm not sure I was clear enough

What I want is to be able to connect to my web server by typing "http://212.124.23.12/" from a LAN box (in fact I'm even using a dynamic DNS address). This was working on my previous Red Hat routers (but I used "ready-to-go" iptables scripts there). So I'm sure I can access my server from a LAN node like any outside box on the Internet would do. I'm pretty sure this can be achieved, the public router IP address should not cause more problems than any other public IP address on the Internet (though I guess it needs one or two iptables rules

)

Thank you for your help!

splooge · l33t Joined: 30 Aug 2002 Posts: 636

Well I am not gonna wade through that entire script, but often times if an IP packet with the source address of your internal network lands on your external interface it gets dropped. The reason for this is so malicious people can't spoof their source IP address and trick your firewall into letting them in.
_________________
http://get.a.clue.de

jbpros · Posted: Wed Jul 07, 2004 11:13 pm Post subject:

jbpros · Posted: Thu Jul 08, 2004 12:08 am Post subject:

While trying to fix my problem I encountered something strange. When I'm on the router trying to ping itself on its public interface (ping 81.242.210.113), the operation fails as it is not "permitted". After some research in the logs I found that pinging my public IP was sending packets to the "lo" interface. I thought it would be using ppp0, no??? I have to allow traffic in the OUTPUT chain to the "lo" interface to be able to ping myself on my public IP... lo interface is naturally 127.0.0.1/8, nothing to do with 81.242.210.113

Is this behaviour normal?

[EDIT] and for more informations, here are the routes, quite simple and correct. hu.