[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Mon, 6 Dec 2010, Simon Waters wrote:
Need more coffee, but caffeine disagrees with me.... Client is 10.0.0.3 Have box with HTTPS on local net 10.0.0.2 Router forwarded traffic from public address to 10.0.0.2 This works okay. Internally it fails.
In what way?
I want to advertise the public address internally (1.2.3.4).
Ah, so you want a client on the LAN to go to http://1.2.3.4/ and get to the web server on 10.0.0.2 ?
If that's the case, then I've never made that work, but I've not actually tried hard to make it work either - my solutions have always involved split DNS, so that internally www.thingy.blah points to 10.0.0.2 and externallly it would point to 1.2.3.4 ...
I think the issue is that internally it doesn't masquerade the connection, as I see the SYN packet forwarded but with the original source IP address so the reply goes from 10.0.0.2 to 10.0.0.3.Current rule is-A PREROUTING -d 1.2.3.4/32 -p tcp -m tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j DNAT --to-destination 10.0.0.2:443I can add "-i eth0" to this to restrict it to the external stuff.
Are you putting it in the right table? Should it go into the nat table? --table nat
But what should be the rule with "-i eth1" in it given I want to force connections from elsewhere in 10.0.0.0/8 (10.0.0.3) to be masqueraded by the same firewall to 10.0.0.2.
You mean like force proxying? I use this: # $ipt --table nat -A PREROUTING -i $inet_lan -p tcp --dport 80 -j REDIRECT --to-port 3128 Gordon -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq