NAT question for a networking guru
der.hans
plug-discuss@lists.PLUG.phoenix.az.us
Wed, 22 Aug 2001 17:15:24 -0700 (MST)
Am 22. Aug, 2001 schwäzte Matt Alexander so:
> I have a question about NAT (IP Masq) that I've wondered about...
> Let's say you have a setup like this:
>
> |
> |
> |
> |-----|
> | NAT |
> |-----|
> |
> |
> |-----| |-----|
> | HUB |-------| Web |
> |-----| |-----|
> |
> |
> |--------|
> | client |
> |--------|
>
>
> The NAT box is also port-forwarding any requests on port 80 to the Web
> server. The web server and the client boxes have private IP addresses.
> Users connecting from the Internet are able to access the Web server
> without any problems, but if a user sitting on the internal network on the
> client box tries to access the web server, it will do a lookup and get
> the external IP address of the NAT box, and the connection to the web
> server will fail. In the past I've dealt with this situation by either
> putting the web server's private IP address in all the client's hosts
> files, or I've setup a DNS server on the internal network.
> So my question is, why does NAT fail in this situation? Why doesn't the
> client's request get redirected back to the web server? I'm fairly
> comfortable with TCP/IP so feel free to get as detailed as possible.
Most likely you are redirecting port 80 for the input chain of the external
eth card to the web server. Requests coming from the inside never make it to
that interface because they hit the IP addy internally via the network
stack.
Put a redirect rule in for the internal input chain destined for port 80 of
your external IP.
I prefer to run internal dns anyway. I don't want my internal IP addies
being propogated on the Net, but I do want them in dns.
Anyone know how to restrict addies to certain IPs or interfaces? e.g.
config 10.5.5.0/24 lookups to only be available to IPs on that subnet?
ciao,
der.hans
--
# der.hans@LuftHans.com home.pages.de/~lufthans/ www.DevelopOnline.com
# Help Jerry Lewis stamp out M$...oops that's MDA - der.hans