|
|
|
|
| Linux: DNAT does not work for clients inside the NAT router |
|---|
|
Problem:
A private network 10.0.0.0/24 was set up with a web server and a windos client. The NAT router was configured with a DNAT rule to allow external clients to reach the web server via the public IP address.
iptables -A POSTROUTING -t nat -s 10.0.0.0/24 -o eth0 -j MASQUERADE
iptables -A PREROUTING -d ${ME} -t nat -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 10.0.0.234:80
This configuration worked as expected, with one exception: The windos client on the inside could not communicate with the web server via the public IP address.
|
|
Solution:
The web server was trying to send reply packets directly to the client, using the private IP addresses.
Changed
iptables -A POSTROUTING -t nat -s 10.0.0.0/24 -o eth0 -j MASQUERADE
to read
iptables -A POSTROUTING -t nat -s 10.0.0.0/24 -j MASQUERADE
thus masquarading all traffic from 10.0.0.0/24, even traffic going back to that network. This is necessary for DNAT to work for clients on the inside :-)
|
|
|
|
|
|
This is free technical advice without any warranties.
Use at your own risk. Solutions offered may not apply to your particular problem at all.
Opinions and views expressed in the articles are the authors' personal
and may not necessarily reflect or coincide with those of Ano-Tech Computers.
We take no responsibility if anything bad happens from following any of
the intructions given. If you don't understand and accept this, please
contact us for personal assistance instead.
To read our full disclaimer, go
here.
We welcome anyone who is willing to contribute to this public knowledge base,
contact siteadmin@atc.no
if you have information you would like to share. The idea is not to replace
the commercial support sites, but to publish those hard-to-find
solutions you've found yourself looking for over and over again.
Show all articles
