Re: Routing/IPTables Question SOLVED
Posted by kbocek on 2012/3/27 4:04:47
Adding a source NAT rule to the postrouting chain fixed my problem. I added this to my /etc/sysconfig/iptables:
in addition to my regular outbound source NAT that lets me share my internet link.
What was going on was that by moving my server off of the net and behind the gateway I had to add destination NAT
rules to the gateway for the server. When external hosts access the x.mydom.com address, the gateway rewrites
the destination as the internal server address and passes the traffic on. The server composes it's response, sees
that the return address is foreign and so returns the message to the gateway. All is good.
But when I used an internal host and went to the external address, the internal host is expecting a reply from the gateway
where the external address is residing. But the gateway hands that traffic off to the web server who sees the source address
on it's *own* network and says "Hey, I'll handle this myself!" When the internal host receives traffic directly from the web server
it just ignores the unexpected traffic.
The answer is internal source-NAT for this traffic, re-writing the packets so the web server sends the packets *back* to the
gateway who then sends them back to the workstation. Basically, this internal traffic is getting *both* destination and source NAT.
Note that I used a netmask on my rule above to allow for future internal servers to be added. The rule also in this case
works as "-d 10.0.2.1" but would only work for the one server.
For clarification, 10.0.2.1 is the address of the web server, 10.0.2.3 is the address of the gateway.
My thanks to TrevorH for the key piece of using tcpdump to look at just what the heck was going on.
Thanks to everyone for their input and debugging skills.
-A POSTROUTING -s 10.0.2.0/24 -d 10.0.2.0/24 -j SNAT --to-source 10.0.2.3
in addition to my regular outbound source NAT that lets me share my internet link.
What was going on was that by moving my server off of the net and behind the gateway I had to add destination NAT
rules to the gateway for the server. When external hosts access the x.mydom.com address, the gateway rewrites
the destination as the internal server address and passes the traffic on. The server composes it's response, sees
that the return address is foreign and so returns the message to the gateway. All is good.
But when I used an internal host and went to the external address, the internal host is expecting a reply from the gateway
where the external address is residing. But the gateway hands that traffic off to the web server who sees the source address
on it's *own* network and says "Hey, I'll handle this myself!" When the internal host receives traffic directly from the web server
it just ignores the unexpected traffic.
The answer is internal source-NAT for this traffic, re-writing the packets so the web server sends the packets *back* to the
gateway who then sends them back to the workstation. Basically, this internal traffic is getting *both* destination and source NAT.
Note that I used a netmask on my rule above to allow for future internal servers to be added. The rule also in this case
works as "-d 10.0.2.1" but would only work for the one server.
For clarification, 10.0.2.1 is the address of the web server, 10.0.2.3 is the address of the gateway.
My thanks to TrevorH for the key piece of using tcpdump to look at just what the heck was going on.
Thanks to everyone for their input and debugging skills.
This Post was from: https://www.centos.org/newbb/viewtopic.php?forum=58&topic_id=36596&post_id=158683