1

I have 1 host server as NAT server, it has public domain name example.com tied to its public IP address PUB_IP_ADD.

I have another web server behind NAT with IP address 192.168.1.100 and port forwarding rules is done on the host server:

-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.100:80

I have some other servers behind NAT with fixed ip address range 192.168.1.101-110 and the masquerade rules are done for the whole 192.168.1.0/24 range:

-A POSTROUTING -s 192.168.1.0/24 -o vmbr0 -j MASQUERADE

the above rules can let my servers behind NAT access internet. (download and ping public ips).

My web page can be accessed from the internet by visiting example.com but cannot be accessed from inside the NAT network in those 192.168.1.0/24 by using the same domain name or host server ip address.

I wonder, why the web server behind the NAT firewall cannot be accessed by its peers by using NAT server domain name or IP?

Do I need to add SNAT rules specifically to the web server and remove the masquerade line?

Xianlin
  • 635
  • 4
  • 14
  • 21
  • so you cannot access web server locally on `192.168.1.100`? – gwillie Sep 08 '15 at 04:57
  • I cannot access web server from 192.168.1.101 via example. com – Xianlin Sep 08 '15 at 05:03
  • probably because you do not have `DNS` configured for that domain name for local network. you could even add an entry to /etc/hosts file such as `192.168.1.100 example.com` which would resolve domain to ip for that computer – gwillie Sep 08 '15 at 06:42
  • The DNS is set correctly, the domain is register under godaddy, i can access my other godaddy domain names from behind nat as well. – Xianlin Sep 08 '15 at 06:46
  • 1
    looks like a hairpin NAT problem as asked and answered here http://serverfault.com/questions/205040/accessing-the-dnatted-webserver-from-inside-the-lan – Mr Purple Sep 28 '15 at 08:54

1 Answers1

0

You may want to use SNAT if you use static IPs as MASQUERADE suffers a penalty as it needs to get the IP address from the network interface.

Also, if you are testing from the firewall computer, it will try to access its own web server instead of the dedicated web server. We need to place a rule in the OUTPUT chain to deal with this case:

iptables -t nat -A OUTPUT -d $INET_IP --dport 80 -j DNAT --to-destination $HTTP_IP
Duane Evenson
  • 1
  • 1