Date: Fri, 05 Mar 2004 07:52:22 +0100 From: Sasa Stupar <sasa@stupar.homelinux.net> To: FreeBSD-config ML <freebsd-config@freebsd.org> Subject: Re: NAT onto same network? Message-ID: <404823A6.5080108@stupar.homelinux.net> In-Reply-To: <40470BD2.9000001@stupar.homelinux.net> References: <4046FDDA.7080908@stupar.homelinux.net> <49386.141.67.67.161.1078396444.squirrel@Matrix.Iceman> <40470BD2.9000001@stupar.homelinux.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Anyone? Sasa Sasa Stupar pravi: > OK, webservers ip is 192.168.10.10, internal IP on nat machine is > 192,168.10.111, all users have ip in the range 192.168.10.0/24 mask > 255.255.255.0. They are all connected to the switch. > Here is what is says about it but for iptables on linux: > -------- > 10. Destination NAT Onto the Same Network > > If you are doing port forwarding back onto the same network, you need to > make sure that both future packets and reply packets pass through the > NAT box (so they can be altered). The NAT code will now (since > 2.4.0-test6), block the outgoing ICMP redirect which is produced when > the NAT'ed packet heads out the same interface it came in on, but the > receiving server will still try to reply directly to the client (which > won't recognize the reply). > > The classic case is that internal staff try to access your `public' web > server, which is actually DNAT'ed from the public address (1.2.3.4) to > an internal machine (192.168.1.1), like so: > > # iptables -t nat -A PREROUTING -d 1.2.3.4 \ > -p tcp --dport 80 -j DNAT --to 192.168.1.1 > > One way is to run an internal DNS server which knows the real (internal) > IP address of your public web site, and forward all other requests to an > external DNS server. This means that the logging on your web server will > show the internal IP addresses correctly. > > The other way is to have the NAT box also map the source IP address to > its own for these connections, fooling the server into replying through > it. In this example, we would do the following (assuming the internal IP > address of the NAT box is 192.168.1.250): > > # iptables -t nat -A POSTROUTING -d 192.168.1.1 -s 192.168.1.0/24 \ > -p tcp --dport 80 -j SNAT --to 192.168.1.250 > > Because the PREROUTING rule gets run first, the packets will already be > destined for the internal web server: we can tell which ones are > internally sourced by the source IP addresses. > ---------------- > > Thank you, > Sasa > > > > Frank Mueller pravi: > >> Maybe you should give a little more information, what exactly you're >> trying to do. >> Subnets? Netmasks? Webserver physically only connected to Gateway??? >> >> Bye, >> >> Frank >> >> >>> Hi! >>> >>> I have manage to configure NAT, port forwarding and firewall on my new >>> gateway machine. Now I am stuck with configuring nat onto same network. >>> I need it so LAN users can access webserver which is also on the LAN (it >>> has configured multiple virtual hosts). >>> Can anyone help me with this? >>> >>> Thank you, >>> Sasa > > _______________________________________________ > freebsd-config@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-config > To unsubscribe, send any mail to "freebsd-config-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?404823A6.5080108>