From owner-freebsd-config@FreeBSD.ORG Thu Mar 4 22:52:09 2004 Return-Path: Delivered-To: freebsd-config@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5FF0E16A4CE for ; Thu, 4 Mar 2004 22:52:09 -0800 (PST) Received: from avs2.arnes.si (avs2.arnes.si [193.2.1.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id BDF1743D2F for ; Thu, 4 Mar 2004 22:52:06 -0800 (PST) (envelope-from sasa@stupar.homelinux.net) Received: from localhost (avs2.arnes.si [193.2.1.75]) by avs2.arnes.si (Postfix) with ESMTP id E609BD3411 for ; Fri, 5 Mar 2004 07:52:05 +0100 (CET) Received: from avs2.arnes.si ([193.2.1.75]) by localhost (avs2.arnes.si [193.2.1.75]) (amavisd-new, port 10024) with ESMTP id 30879-04 for ; Fri, 5 Mar 2004 07:52:05 +0100 (CET) Received: from xmail.homelinux.net (cmb16-74.dial-up.arnes.si [194.249.51.74]) by avs2.arnes.si (Postfix) with ESMTP id 0AA31D351A for ; Fri, 5 Mar 2004 07:52:05 +0100 (CET) X-AV-Scanned: yes f236445bc4ebefaadecd9063fc628a65 X-AuthUser: sasa@stupar.homelinux.net Received: from stupar.homelinux.net (192.168.10.1:4444) (Linux/Ix86) ESMTP Server]; Fri, 5 Mar 2004 07:52:22 +0100 Message-ID: <404823A6.5080108@stupar.homelinux.net> Date: Fri, 05 Mar 2004 07:52:22 +0100 From: Sasa Stupar User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; sl-SI; rv:1.6) Gecko/20040113 X-Accept-Language: sl, en-gb, en MIME-Version: 1.0 To: FreeBSD-config ML References: <4046FDDA.7080908@stupar.homelinux.net> <49386.141.67.67.161.1078396444.squirrel@Matrix.Iceman> <40470BD2.9000001@stupar.homelinux.net> In-Reply-To: <40470BD2.9000001@stupar.homelinux.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at arnes.si Subject: Re: NAT onto same network? X-BeenThere: freebsd-config@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Installation and Configuration List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2004 06:52:09 -0000 Anyone? Sasa Sasa Stupar pravi: > OK, webservers ip is 192.168.10.10, internal IP on nat machine is > 192,168.10.111, all users have ip in the range 192.168.10.0/24 mask > 255.255.255.0. They are all connected to the switch. > Here is what is says about it but for iptables on linux: > -------- > 10. Destination NAT Onto the Same Network > > If you are doing port forwarding back onto the same network, you need to > make sure that both future packets and reply packets pass through the > NAT box (so they can be altered). The NAT code will now (since > 2.4.0-test6), block the outgoing ICMP redirect which is produced when > the NAT'ed packet heads out the same interface it came in on, but the > receiving server will still try to reply directly to the client (which > won't recognize the reply). > > The classic case is that internal staff try to access your `public' web > server, which is actually DNAT'ed from the public address (1.2.3.4) to > an internal machine (192.168.1.1), like so: > > # iptables -t nat -A PREROUTING -d 1.2.3.4 \ > -p tcp --dport 80 -j DNAT --to 192.168.1.1 > > One way is to run an internal DNS server which knows the real (internal) > IP address of your public web site, and forward all other requests to an > external DNS server. This means that the logging on your web server will > show the internal IP addresses correctly. > > The other way is to have the NAT box also map the source IP address to > its own for these connections, fooling the server into replying through > it. In this example, we would do the following (assuming the internal IP > address of the NAT box is 192.168.1.250): > > # iptables -t nat -A POSTROUTING -d 192.168.1.1 -s 192.168.1.0/24 \ > -p tcp --dport 80 -j SNAT --to 192.168.1.250 > > Because the PREROUTING rule gets run first, the packets will already be > destined for the internal web server: we can tell which ones are > internally sourced by the source IP addresses. > ---------------- > > Thank you, > Sasa > > > > Frank Mueller pravi: > >> Maybe you should give a little more information, what exactly you're >> trying to do. >> Subnets? Netmasks? Webserver physically only connected to Gateway??? >> >> Bye, >> >> Frank >> >> >>> Hi! >>> >>> I have manage to configure NAT, port forwarding and firewall on my new >>> gateway machine. Now I am stuck with configuring nat onto same network. >>> I need it so LAN users can access webserver which is also on the LAN (it >>> has configured multiple virtual hosts). >>> Can anyone help me with this? >>> >>> Thank you, >>> Sasa > > _______________________________________________ > freebsd-config@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-config > To unsubscribe, send any mail to "freebsd-config-unsubscribe@freebsd.org" >