[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

[LUG] iptables help

To: Devon & Cornwall LUG <list@xxxxxxxxxxxx>
Subject: [LUG] iptables help
From: Simon Waters <simon@xxxxxxxxxxxxxx>
Date: Mon, 06 Dec 2010 17:58:52 +0000
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx

Need more coffee, but caffeine disagrees with me....

Client is 10.0.0.3
Have box with HTTPS on local net 10.0.0.2
Router forwarded traffic from public address to 10.0.0.2
This works okay.

Internally it fails.

I want to advertise the public address internally (1.2.3.4).

I think the issue is that internally it doesn't masquerade theconnection, as I see the SYN packet forwarded but with the originalsource IP address so the reply goes from 10.0.0.2 to 10.0.0.3.


Current rule is

-A PREROUTING -d 1.2.3.4/32 -p tcp -m tcp --dport 443 -m state --stateNEW,RELATED,ESTABLISHED -j DNAT --to-destination 10.0.0.2:443


I can add "-i eth0" to this to restrict it to the external stuff.

But what should be the rule with "-i eth1" in it given I want to forceconnections from elsewhere in 10.0.0.0/8 (10.0.0.3) to be masqueraded bythe same firewall to 10.0.0.2.


Oh routers internal interface is 10.0.0.1

I'm sure it is trivial but my brain isn't producing anything thatiptables-restore will accept.


--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

Follow-up: Re: [LUG] iptables help
- From: Gordon Henderson

Prev by Date: Re: [LUG] Install.
Next by Date: Re: [LUG] VAT<>New Year Discounts
Previous by thread: Re: [LUG] Install.
Next by thread: Re: [LUG] iptables help
Index(es):
- Date
- Thread