Destination NAT Onto the Same Network from internal clients

Posted by mivi on Server Fault See other posts from Server Fault or by mivi
Published on 2012-04-06T18:01:44Z Indexed on 2012/04/06 23:32 UTC
Read the original article Hit count: 296

Filed under:
|
|
|

I have a DSL router which acts as NAT (SNAT & DNAT). I have setup a server on internal network (10.0.0.2 at port 43201). DSL router was configured to "port forward" (or DNAT) all incoming connections to 10.0.0.2:43201.

I created a virtual server for port forwarding on DSL router. I also added following iptables rules for port forwarding.

iptables -t nat -A PREROUTING -p tcp -i ppp_0_1_32_1 --dport 43201 -j DNAT --to-destination 10.0.0.2:43201
iptables -I FORWARD 1 -p tcp -m state --state NEW,ESTABLISHED,RELATED -d 10.0.0.2 --dport 43201 -j ACCEPT

# ppp_0_1_32_1 is routers external interface.
# routers internal IP address is 10.0.0.1 and server is setup at 10.0.0.2:43201

Problem is that connections coming from external IP addresses are able to access internal server using External IP address, but internal clients (under NAT) are not able to access server using external IP address.

Example: http://<external_address>:43201 is working from external clients
But, internal clients are not able to access using http://<external_address>:43201

This seems to be similar to the problem described in http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-10.html (NAT HOW-TO Destination NAT Onto the Same Network).

Firstly, I am not able to understand why is this a problem for internal clients? Secondly, what iptables rule will enable internal clients to access server using external IP address? Please suggest.

© Server Fault or respective owner

Related posts about iptables

Related posts about router