Make WAN address always respond as such (iptables rules?)
nick at leippe.com
Tue Jan 23 16:15:22 MST 2007
On Tuesday 23 January 2007 14:51, Andrew Jorgensen wrote:
> On 1/23/07, Nicholas Leippe <nick at leippe.com> wrote:
> > You'll need both a DNAT and a SNAT rule if you don't want to do an
> > internal zone in your DNS. See:
> > http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html
> Thanks for this, Nicholas, I think it's almost what I'm looking for
> but if I'm reading it correctly the example is just forwarding the lan
> port 80 to the internal web server as well. I want it to do that only
> if the destination address is the external address.
The first part of the example does exactly this--it DNATs anything destined to
tcp 220.127.116.11:80 back to 192.168.1.1. The key is the second, SNAT rule, that
forces the reply to travel back through the firewall.
> I suppose one of my problems is going to be that I don't know my
> external address until after dhcp is up, but it wouldn't be a big deal
> to have something run as a dhcp change hook.
Yes, it is easier if you have a static ip.
There is also another way to do it, without having all of the traffic go
through the firewall--only the one direction:
1) mark packets destined for tcp <your public ip>:80 in the mangle:PREROUTING
2) add a routing rule to tell it to use a different table to route packets
with the mark from (1)
3) add the new routing table that simply routes everything to the internal web
This method does not change the packets at all, and the respons packets are
sent directly from the internal web server to the client. It still, however,
requires you to know the external ip address.
More information about the PLUG