Re: iptables NAT routing issues

[Maximilian Wilhelm <max@rfc2324.org>]

Am Tuesday, den  8 May hub Bas Verhoeven folgendes in die Tasten:

Hi!

> We're having some problems with iptables, have been playing ~3 hours 
> with this and I need some advice.

> We want to 'forward' port 80 from one ip to another ip (other server) - 
> mainly to protect the webserver. One could say that you could use basic 
> portforwarding for this, but as far as i know this also breaks the 
> source ip for apache logs, etc. So we decided that we needed NAT'ing.
[...]

> OUTBOUND SERVER:

> iptables -t nat -A PREROUTING -p tcp --dport 80 -d <ext_web_ip> -j DNAT 
> --to-destination <webserver_ip>:80

That´s fine.
This will also make netfilter care of answer packages.

> Note: We didn't touch this as it seems to works fine.
> 
> WEBSERVER:
[...]
There are no NAT rules needed here.
All you have to accomplish is that the answer packages from WEBSERVER
to $client are routed via OUTBOUND SERVER.

I guess that´s just true by the network architecture.

e.g.

client network / inet  <--->  OUTBOUND SERVER  <->  WEBSERVER

HTH
Ciao
Max
-- 
        Follow the white penguin.