I’ve recently re-topologised my whole network, since buying a Eee box before Christmas. Up until then I had been hosting my mail and websites off site in a Xen virtual host, somewhere in the US. I bought the Eee so I could have a server locally, and its much more powerful than the Xen host, and given that our ISP gave us a static ip, it all seemed like the perfect solution.
So I setup the Eee box in my network here, and told the router to send all traffic aimed at the static ip (93.97.51.193) to the Eee box on the internal network (192.168.3.22). All fine and dandy so far. But what of the machines local on that network who now want to access these sites using their domain names. bleurgh.com resolves to 93.97.51.193. Once the packet hits the router, the router will forward it to 192.168.3.22. But the source address will be the source address of the originating host on the local network, in this case 192.168.3.5.
This is a problem, because when the server sends a packet back to the client, it will send to this address, and the client won’t be expecting it, since it sent its packet to 93.97.51.193. So what to do?
The router had only rudimentary networking tools on it, so I went and ordered a Linksys WRT45GR from netgear, only to find that it’s only a bloody router and not a adsl modem as well. I was planning to put openwrt on it, so I could get access to iptables.
A little poking with my current router (DG834GT) revealed that in fact, it has a telnet interface. I had tried it before, but the page to enable it,
http://192.168.3.1/setup.cgi?todo=debug, was blocked with a password. This was while it still had the firmware on it. I hadn’t tried since I updated to a netgear firmware, but lo and behold, it works and I got a nice little telnet interface into router. And iptables ! Huzzah!
So thinking all my Christmases has come at once, I started to poke at iptables, only to discover that I didn’t have the foggiest idea of what I needed to do. I had two ideas in mind, DNAT and SNAT, but neither quite fit.
DNAT modifies the destination addresses of packets, so I could specify that I wanted all packets for 93.97.51.193 to go to 192.168.3.22. This is what the router is already doing though, except on a different interface. Same problem with the server responding directly to the client occurs.
SNAT makes all packets to a destination seem as if they are coming from a certain source address. So the server, 192.168.3.22, see everything as coming from the router(192.168.3.1). But this doesn’t allow packets to be redirected to 93.97.51.193.
So for the solution I needed DNAT and SNAT working in combination. The rules I used are as follows.
# iptables -t nat -A PREROUTING -s 192.168.3.0/24 -d 93.97.51.193 -j DNAT --to 192.168.3.22
# iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -d 192.168.3.22 -j SNAT --to-source 192.168.3.1
To make the DG834GT retain this past a reboot is another story. It seems to store settings in /tmp/, which I think gets reset on a factory settings reset, so I’ve put it at the end of /tmp/rules.