On Tue, 2 May 2006 04:34:13 +0300 Tsakiridis Antonis <[EMAIL PROTECTED]> wrote:
> I have a small LAN and want to allow access to an internal(no real ip, sorry > ;-)) web server to Internet clients > > The gateway is using iptables v1.2.11(debian sarge) > > I have activated port forwarding, so that Internet traffic targeted at my > gateway's port 80 is forwarded to the internal web server and works just fine. > > (To make things a bit clear: > the Internet accesses the gateway through $INET_IP, > the LAN accesses the gateway through $LAN_IP, > the IP of the internal web server is $HTTPD_IP) > > What I also want, however, is to allow other LAN hosts have access to the > same > web server using the FQDN of the gateway(say http://mysite.dyndns.org). To do > that correctly I must also SNAT LAN packets destined to $INET_IP of the > gateway: > > iptables -t nat -A POSTROUTING -p TCP -i $LAN_IFACE -d $HTTPD_IP --dport 80 > -j > SNAT --to-source $LAN_IP > > Which gives me an error: > iptables v1.2.11: Can't use -i with POSTROUTING > > Finally, I want to be able to contact the web server from the gateway through > the FQDN as well. So I need to DNAT locally generated packets so that they > are sent to the proper host: > > iptables -t nat -A OUTPUT -p TCP -d $INET_IP --dport 80 -j DNAT > --to-destination $HTTPD_IP:80 > > Which also gives me an error: > iptables v1.2.7a: Invalid argument > > Firstly, I would really apreciate it if someone could tell me what is wrong > with rules 2 and 3? > > Secondly, is there a way to achieve this functionality? > > p.s. These rules are taken from Oscar Andreasson's extensive discussion of > DNAT target in his "Iptables Tutorial 1.2.0", section 11.3 > (http://iptables-tutorial.frozentux.net/iptables-tutorial.html). > > Thanks a lot in advance, > Antonis > Take a look at the Iptables Tutorial written by Oskar Andreasson. When he talks about NAT, there's an example treating a problem very very similar to the one you have. http://iptables-tutorial.frozentux.net/iptables-tutorial.html -- Miguel Da Silva. Servicio de Informatica. Facultad de Ciencias. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]