Hi, On Mon, 27 Jun 2005 11:20:53 -0400 Travis Osterman <[EMAIL PROTECTED]> wrote:
> I cut all port forwarding rules but port 80 and all mac filtering less > one and commented as such to keep the length down. Thanks again for > any suggestions. I'll comment below... > *nat > # [...] > # snipped other DNAT > -A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination > 192.168.1.20 > -A PREROUTING -i ppp0 -p udp -m udp --dport 80 -j DNAT --to-destination > 192.168.1.20 Never heard of http-via-udp... But the problem will show up here: The PREROUTING should apply also for packets coming from eth1 (LAN). Otherwise they'll hit the router's own tcp stack - where there's supposedly no http and such the connection would be resetted. The problem atm seems to be, pointed out: 1. both external clients and internal clients can correctly resolve http://my-dynamic-name.no-ip.com to the ppp0's IP. 2.a. external clients' requests hit the router coming from ppp0 2.b. internal clients' requests hit the router coming from eth1 3. nat/PREROUTING: 3.a. The packets from 2.a. get rewritten to dst 192.168.1.20 3.b. The other ones don't get rewritten 4. Routing is performed (filter/FORWARD, nat/POSTROUTING): 4.a. The packets from 2.a. will get routed to 192.168.1.20 and leave the router if allowed by nat/OUTPUT. (it is) WWW server does its job then. 4.b. The packets from 2.b. will hit the router's tcp stack if allowed by filter/INPUT (it is). They'll get RSTed if there's no open port 80. Well, and we have some more problems. Your actual POSTROUTING chain only MASQUERADEs packets leaving through ppp0. With this, and the new rules, www packets from the LAN would get destination rewritten on the router and being routed there. The source address will still be set to the original source address. So the router would answer to that address. Problem here is the client: It expects an answer from the router's IP. So the web server's reply gets dropped at the client. To overcome this, you can setup routing on the web server to generally send packets via the router. I'd suggest placing it in a different subnet, e.g. 192.168.3./24, and have the router use an address in that range to. A little of a DMZ on the LAN wire (not suggested, but not different from you current solution). To-Do: - on the webserver: configure address to 192.168.3.20 - on the router: - configure a second address for eth1 in /etc/conf.d/net (192.168.3.1 assumed here) - modify iptables settings: You need to insert a new rule like the ones above but also for "-i eth1". You'll further need to specify "-d EXTERNAL_IP" (well, of course with that IP instead) to not get all connections to a www port rewritten to that destination. I'd suggest using a new chain for this that you can flush in a script and just place a new rule there if the IP changes. e.g. global skript on boot up: iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.3.20 iptables -t nat -N internalwww iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j internalwww and e.g. in your dhcp-script: iptables -t nat -F internalwww iptables -t nat -A internalwww -d $EXTERNAL_IP -j DNAT --to-destination 192.168.3.20 -hwh -- gentoo-user@gentoo.org mailing list
