D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] iptables help


On Mon, 6 Dec 2010, Simon Waters wrote:

Need more coffee, but caffeine disagrees with me....

Client is
Have box with HTTPS on local net
Router forwarded traffic from public address to
This works okay.

Internally it fails.

In what way?

I want to advertise the public address internally (

Ah, so you want a client on the LAN to go to and get to the web server on ?

If that's the case, then I've never made that work, but I've not actually tried hard to make it work either - my solutions have always involved split DNS, so that internally www.thingy.blah points to and externallly it would point to ...

I think the issue is that internally it doesn't masquerade the connection, as I see the SYN packet forwarded but with the original source IP address so the reply goes from to

Current rule is

-A PREROUTING -d -p tcp -m tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j DNAT --to-destination

I can add "-i eth0" to this to restrict it to the external stuff.

Are you putting it in the right table? Should it go into the nat table?

  --table nat

But what should be the rule with "-i eth1" in it given I want to force connections from elsewhere in ( to be masqueraded by the same firewall to

You mean like force proxying?

I use this:

# $ipt --table nat -A PREROUTING -i $inet_lan -p tcp --dport 80 -j REDIRECT 
--to-port 3128


The Mailing List for the Devon & Cornwall LUG
FAQ: http://www.dcglug.org.uk/listfaq