D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] iptables help

 

On 06/12/10 19:23, Gordon Henderson wrote:
> On Mon, 6 Dec 2010, Simon Waters wrote:
> 
>> Need more coffee, but caffeine disagrees with me....
>>
>> Client is 10.0.0.3
>> Have box with HTTPS on local net 10.0.0.2
>> Router forwarded traffic from public address to 10.0.0.2
>> This works okay.
>>
>> Internally it fails.
> 
> In what way?

As below it doesn't rewrite the source address.

>> I want to advertise the public address internally (1.2.3.4).
> 
> Ah, so you want a client on the LAN to go to http://1.2.3.4/ and get to
> the web server on 10.0.0.2 ?

Yes, and more crucially the replies have to come back the same way.

> If that's the case, then I've never made that work, but I've not
> actually tried hard to make it work either - my solutions have always
> involved split DNS, so that internally www.thingy.blah points to
> 10.0.0.2 and externallly it would point to 1.2.3.4 ...

I'd rather not, it is not as if this is going to be a bottleneck of any
consequence.

>> -A PREROUTING -d 1.2.3.4/32 -p tcp -m tcp --dport 443 -m state --state
>> NEW,RELATED,ESTABLISHED -j DNAT --to-destination 10.0.0.2:443
>>
>> I can add "-i eth0" to this to restrict it to the external stuff.
> 
> Are you putting it in the right table? Should it go into the nat table?
>
>   --table nat

Strictly yes, but I don't think it will make any difference as I believe
iptables implicitly moves things that have to be in the nat table into
the nat table, still I'll give it a try.

>> But what should be the rule with "-i eth1" in it given I want to force
>> connections from elsewhere in 10.0.0.0/8 (10.0.0.3) to be masqueraded
>> by the same firewall to 10.0.0.2.
> 
> You mean like force proxying?
> 
> I use this:
> 
> # $ipt --table nat -A PREROUTING -i $inet_lan -p tcp --dport 80 -j
> REDIRECT --to-port 3128

I already do that on the box for squid.

I need to change the source, and the destination, probably I need two
rules, one on prerouting to DNAT, and one on postrouting to SNAT. Or
possibly I can do it in one?

I'll try the two rule thing, and explicit nat table tomorrow in the
absence of better suggestions. It'll probably work in the morning anyway.

 Simon



-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq