[wplug] DNAT Headaches
Rick Smith
rick at rbsmith.com
Tue Jul 16 06:38:41 EDT 2002
Have you tried playing with /etc/hosts.allow and /etc/hosts.deny?
Or at least during your testing, comment out everything in
/etc/hosts.deny just to make sure it isn't getting in the way
of blocking connections.
I've beat my head against a number of problems with connections
to a range of services only to find out it was this. Might
not apply with Apache in your distro.
-- Rick
On Mon, Jul 15, 2002 at 09:18:09PM -0400, Hagbard Celine wrote:
> I'm maintaining a small network here, and want to set up a globally-accessible
> HTTP server. Unfortunately, I'm encountering a problem...
>
> The network (172.16.x.x) consists of three subnets (172.16.0.x, 172.16.1.x,
> and 172.16.2.x). 172.16.1.x has the user workstations, 172.16.2.x has the box
> where Apache lives (with more machines to come), and the gateways talk to each
> other over 172.16.0.x The Internet gateway is 172.16.1.0/172.16.0.1 I also
> aquired a static IP for my dialup line.
>
> All the machines need to talk to the Internet, so I already have SNAT in place,
> thusly:
>
> iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to 208.0.146.66
>
> This works quite well.
>
> I tried to DNAT to the Apache box in this manner:
>
> iptables -t nat -A PREROUTING -p tcp --dport 80 -i ppp0 -j DNAT --to 172.16.2.2
>
> I can connect to Apache via the private network, but attempts to connect via
> the public address return 'connection refused' errors.
>
> Am I missing a fine point somewhere, or am I guilty of some boneheaded error
> (SNAT confusing DNAT, perhaps?)?
>
> Any help greatly appreciated,
> Hagbard
>
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
More information about the wplug
mailing list