Submit
Path:
~
/
/
usr
/
share
/
doc
/
iptables
/
html
/
File Content:
NAT-HOWTO-10.html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.82"> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <TITLE>Linux 2.4 NAT HOWTO: Destination NAT Onto the Same Network</TITLE> <LINK HREF="NAT-HOWTO-11.html" REL=next> <LINK HREF="NAT-HOWTO-9.html" REL=previous> <LINK HREF="NAT-HOWTO.html#toc10" REL=contents> </HEAD> <BODY> <A HREF="NAT-HOWTO-11.html">Next</A> <A HREF="NAT-HOWTO-9.html">Previous</A> <A HREF="NAT-HOWTO.html#toc10">Contents</A> <HR> <H2><A NAME="s10">10.</A> <A HREF="NAT-HOWTO.html#toc10">Destination NAT Onto the Same Network</A></H2> <P>If you are doing port forwarding back onto the same network, you need to make sure that both future packets and reply packets pass through the NAT box (so they can be altered). The NAT code will now (since 2.4.0-test6), block the outgoing ICMP redirect which is produced when the NAT'ed packet heads out the same interface it came in on, but the receiving server will still try to reply directly to the client (which won't recognize the reply).</P> <P>The classic case is that internal staff try to access your `public' web server, which is actually DNAT'ed from the public address (1.2.3.4) to an internal machine (192.168.1.1), like so:</P> <P> <BLOCKQUOTE><CODE> <PRE> # iptables -t nat -A PREROUTING -d 1.2.3.4 \ -p tcp --dport 80 -j DNAT --to 192.168.1.1 </PRE> </CODE></BLOCKQUOTE> </P> <P>One way is to run an internal DNS server which knows the real (internal) IP address of your public web site, and forward all other requests to an external DNS server. This means that the logging on your web server will show the internal IP addresses correctly.</P> <P>The other way is to have the NAT box also map the source IP address to its own for these connections, fooling the server into replying through it. In this example, we would do the following (assuming the internal IP address of the NAT box is 192.168.1.250):</P> <P> <BLOCKQUOTE><CODE> <PRE> # iptables -t nat -A POSTROUTING -d 192.168.1.1 -s 192.168.1.0/24 \ -p tcp --dport 80 -j SNAT --to 192.168.1.250 </PRE> </CODE></BLOCKQUOTE> </P> <P>Because the <B>PREROUTING</B> rule gets run first, the packets will already be destined for the internal web server: we can tell which ones are internally sourced by the source IP addresses.</P> <HR> <A HREF="NAT-HOWTO-11.html">Next</A> <A HREF="NAT-HOWTO-9.html">Previous</A> <A HREF="NAT-HOWTO.html#toc10">Contents</A> </BODY> </HTML>
Edit
Rename
Chmod
Delete
FILE
FOLDER
INFO
Name
Size
Permission
Action
NAT-HOWTO-1.html
1152 bytes
0644
NAT-HOWTO-10.html
2525 bytes
0644
NAT-HOWTO-11.html
910 bytes
0644
NAT-HOWTO-2.html
4346 bytes
0644
NAT-HOWTO-3.html
1444 bytes
0644
NAT-HOWTO-4.html
4400 bytes
0644
NAT-HOWTO-5.html
5139 bytes
0644
NAT-HOWTO-6.html
8397 bytes
0644
NAT-HOWTO-7.html
1324 bytes
0644
NAT-HOWTO-8.html
1136 bytes
0644
NAT-HOWTO-9.html
2091 bytes
0644
NAT-HOWTO.html
2666 bytes
0644
netfilter-extensions-HOWTO-1.html
2102 bytes
0644
netfilter-extensions-HOWTO-2.html
7807 bytes
0644
netfilter-extensions-HOWTO-3.html
28969 bytes
0644
netfilter-extensions-HOWTO-4.html
12548 bytes
0644
netfilter-extensions-HOWTO-5.html
7041 bytes
0644
netfilter-extensions-HOWTO-6.html
11242 bytes
0644
netfilter-extensions-HOWTO-7.html
2188 bytes
0644
netfilter-extensions-HOWTO-8.html
1021 bytes
0644
netfilter-extensions-HOWTO-9.html
2222 bytes
0644
netfilter-extensions-HOWTO.html
7267 bytes
0644
netfilter-hacking-HOWTO-1.html
7474 bytes
0644
netfilter-hacking-HOWTO-2.html
1718 bytes
0644
netfilter-hacking-HOWTO-3.html
8038 bytes
0644
netfilter-hacking-HOWTO-4.html
53338 bytes
0644
netfilter-hacking-HOWTO-5.html
1056 bytes
0644
netfilter-hacking-HOWTO-6.html
3028 bytes
0644
netfilter-hacking-HOWTO-7.html
9288 bytes
0644
netfilter-hacking-HOWTO-8.html
5234 bytes
0644
netfilter-hacking-HOWTO-9.html
835 bytes
0644
netfilter-hacking-HOWTO.html
3811 bytes
0644
packet-filtering-HOWTO-1.html
1891 bytes
0644
packet-filtering-HOWTO-10.html
2575 bytes
0644
packet-filtering-HOWTO-11.html
3742 bytes
0644
packet-filtering-HOWTO-2.html
1593 bytes
0644
packet-filtering-HOWTO-3.html
5775 bytes
0644
packet-filtering-HOWTO-4.html
2189 bytes
0644
packet-filtering-HOWTO-5.html
1644 bytes
0644
packet-filtering-HOWTO-6.html
3505 bytes
0644
packet-filtering-HOWTO-7.html
35616 bytes
0644
packet-filtering-HOWTO-8.html
1457 bytes
0644
packet-filtering-HOWTO-9.html
2333 bytes
0644
packet-filtering-HOWTO.html
2831 bytes
0644
N4ST4R_ID | Naxtarrr
