# Router local nat setup

## kuteninja

I've installed a Gentoo Server to work as a router on our office. 

It works really great, but then I've come up to something that I can't fix by myself, this is the data:

On my iptables, i have an eth1 (internal lan) with the range 192.168.1.0/24 and an eth0 with the wan access directly.

The server works with dhcpd and upnpd and all software connects to the internet normally.

This is the deal I have a local server that runs under port 443 and 22 and I have remotely done a DNAT for that server:

```
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.214

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.1.214

/sbin/iptables -A FORWARD -d 192.168.1.214/32 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT

/sbin/iptables -A FORWARD -d 192.168.1.214/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
```

But, when I connect via LAN, I have to use the local IP access or edit manually my hosts file because the domain name points to my WAN IP and the router doesn't nat my lan connection back to the lan.

eg: I'm on computer 192.168.1.5, I want to see my site, Firefox searchs it on the gateway (192.168.1.1 the Gentoo router), it gets redirected from eth1 to eth0, to go outside but then.. it never goes back.

So, if I go to https://mysite.com from outside my LAN network it works, but not from within my LAN network (without editting the hosts file).

This is my iptables-save setup:

```
# Generated by iptables-save v1.4.3.2 on Mon Sep  7 18:53:38 2009

*filter

:INPUT ACCEPT [102157:33870724]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [87520:14114241]

-A FORWARD -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT

-A FORWARD -s 192.168.0.0/16 -o eth0 -j ACCEPT

-A FORWARD -d 192.168.0.0/16 -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -d 192.168.1.214/32 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT

-A FORWARD -d 192.168.1.214/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT

-A FORWARD -d 192.168.1.113/32 -p udp -m udp --dport 53326 -j ACCEPT

-A FORWARD -d 192.168.1.204/32 -p tcp -m tcp --dport 53761 -j ACCEPT

COMMIT

# Completed on Mon Sep  7 18:53:38 2009

# Generated by iptables-save v1.4.3.2 on Mon Sep  7 18:53:38 2009

*nat

:PREROUTING ACCEPT [85389:6440263]

:POSTROUTING ACCEPT [10989:1117766]

:OUTPUT ACCEPT [5519:807542]

-A PREROUTING -i eth0 -p tcp -m tcp --dport 53761 -j DNAT --to-destination 192.168.1.204:53761

-A PREROUTING -i eth0 -p udp -m udp --dport 53326 -j DNAT --to-destination 192.168.1.113:53326

-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.214

-A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.1.214

-A POSTROUTING -o eth0 -j MASQUERADE

-A POSTROUTING -d 190.2.37.67/32 -j MASQUERADE

COMMIT

# Completed on Mon Sep  7 18:53:38 2009
```

I've noticed the "-i eth0" on the iptables, but if I remove that, I believe that all the 443 sites won't work (like gmail.com)

How can I redirect the 443 port from the LAN to my webserver without affecting the other sites ?

----------

## nuhiNlow

try the MASQUERADE directive.

Shorewall + Webmin might help you as well. 

works for me

 :Very Happy: 

----------

## Hu

The easiest solution would be to remove -i eth0 and instead use -d IP-of-eth0, so that any requests addressed to the public IP are redirected, without regard to their origin.  This has the unfortunate side effect that your gateway is handling internal requests, which might cause secondary issues.  A better fix is to contact the HTTPS server by its proper address in the first place.  A split DNS might help here.

----------

## kuteninja

I think you are not catching me

 *lysergia wrote:*   

> Shorewall + Webmin might help you as well. 

 

First, shorewall is a FIREWALL, and webmin is a CONTROL PANEL.

I need to add iptables rules, not filter them...

On the MASQUERADE thing, I have already added it...

```
-A POSTROUTING -o eth0 -j MASQUERADE 

-A POSTROUTING -d 190.2.37.67/32 -j MASQUERADE 
```

Ok, now I have a webserver on MY lan network on the local IP 214.

I have a domain name pointed to my WAN IP address.

I made the NAT setup so that the ports 443 and 22 from my WAN IP address get's nated to the local LAN 214.

That WORKS.

Now, I have a redirection made so that all traffic from the lan (eth1) goes out via the wan (eth0) so I can have internet.

That also WORKS. 

But the 443 redirection just works from the outside, if I add a NAT for the eth1, it gets somehow looped or stuck. 

I believe this is because it tries to get the LAN address (192.168.1.214) from the eth0 which is the other one.

So, when I visit my domain name from outside my network, my router NATs you to the local one and the site works, but from within the network, it doesn't work and I have to add the site to the hosts file manually on each computer to force it using the local address, I don't want that, I want the nat to be bidirectional.

If I made myself clear now, I'd like some help with it, thanks =)

----------

## nuhiNlow

http://markmail.org/message/f6r6tkkn6hvwtfsi

----------

## kuteninja

 *lysergia wrote:*   

> http://markmail.org/message/f6r6tkkn6hvwtfsi

 

Thanks ! I was missing the part of that "TCP Triangle", and I think that was why it didn't work when I used the eth1 redirection.

This are the final iptables commands:

```
# External NAT from eth0 (wan)

iptables -t nat -A PREROUTING -i eth0 -d $PUBLIC_IP -p tcp --dport 443 -j DNAT --to-destination $PRIVATE_IP

# Internal NAT from eth1 (lan)

iptables -t nat -A PREROUTING -i eth1 -d $PUBLIC_IP -p tcp --dport 443 -j DNAT --to-destination $PRIVATE_IP

# Fix for the responses never going back on Lan:

iptables -t nat -A POSTROUTING -o eth1 -s $PRIVATE_LAN/$NM -d $PRIVATE_IP -j MASQUERADE
```

Being PRIVATE_IP the LAN (local server) IP, PUBLIC_IP the WAN (remote) IP, PRIVATE_LAN/NM the LAN network and netmask; eth0 the WAN interface and eth1 the LAN interface

----------

