[Solved] Iptables and SNAT help

ksool · Last edited by ksool on Sat Sep 15, 2007 3:28 am; edited 1 time in total

Hey all. I'm trying to modify my iptables setup but let me describe the network first.
Couple local machines on 192.168.1.0/24. Router at 192.168.1.1 and a public ip.

Right now, I have a couple of services running behind my firewall which are accessible to the public. I also have basic NAT running. What I would like would be to allow the local machines to access the services through the router. That is, indirectly. Ideally, It would be something like 192.168.1.2 requests tcp port 80 from the public ip and the router establishes a connection to the http server as if it were a connection from the public. Like this, theoretically, the client should never have to know the private ip of the server and vice versa. Hope that's clear.

<removed>

nixnut · Posted: Tue Sep 04, 2007 4:44 pm Post subject:

That scenario is described here
_________________
Please add [solved] to the initial post's subject line if you feel your problem is resolved. Help answer the unanswered

talk is cheap. supply exceeds demand

sschlueter · Posted: Tue Sep 04, 2007 11:19 pm Post subject:

If the client and the server are in the the same subnet (and the log suggests that they are), then a simple DNAT is not enough. The reasonis that the server sends its response directly to the client, where it is discarded as an unsolicited packet.

You need to set up a DNAT rule in the PREROUTING chain to change the destination IP to that of the server and set up a SNAT rule in the POSTROUTING chanin to change the source IP to that of the router.

ksool · Posted: Sat Sep 15, 2007 3:27 am Post subject:

Thanks. Worked like a charm.

That's a fantastically thorough iptables by the way. Much appreciated.