Make WAN address always respond as such (iptables rules?)

Nicholas Leippe nick at leippe.com
Tue Jan 23 16:15:22 MST 2007


On Tuesday 23 January 2007 14:51, Andrew Jorgensen wrote:
> On 1/23/07, Nicholas Leippe <nick at leippe.com> wrote:
> > You'll need both a DNAT and a SNAT rule if you don't want to do an
> > internal zone in your DNS.  See:
> >
> > http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html
>
> Thanks for this, Nicholas, I think it's almost what I'm looking for
> but if I'm reading it correctly the example is just forwarding the lan
> port 80 to the internal web server as well.  I want it to do that only
> if the destination address is the external address.

The first part of the example does exactly this--it DNATs anything destined to 
tcp 1.2.3.4:80 back to 192.168.1.1.  The key is the second, SNAT rule, that 
forces the reply to travel back through the firewall.

>
> I suppose one of my problems is going to be that I don't know my
> external address until after dhcp is up, but it wouldn't be a big deal
> to have something run as a dhcp change hook.

Yes, it is easier if you have a static ip.


There is also another way to do it, without having all of the traffic go 
through the firewall--only the one direction:

1) mark packets destined for tcp <your public ip>:80 in the mangle:PREROUTING 
table

2) add a routing rule to tell it to use a different table to route packets 
with the mark from (1)

3) add the new routing table that simply routes everything to the internal web 
server

This method does not change the packets at all, and the respons packets are 
sent directly from the internal web server to the client.  It still, however, 
requires you to know the external ip address.




More information about the PLUG mailing list