There is a network 192.168.1.0/24. It has a group of PCs that need access to just one site. The network has a router on Ubuntu Server 11.04 its IP is 192.168.1.4. It is necessary that if the client "clings" via HTTP protocol to 192.168.1.4:80 gets access to the site, say www.yandex.ru. That is, in order for IPtables to change the IP address in the packets so that the packets leave the router 192.168.1.4. They went to www.yandex.ru, and back through the same router (on it replacing the source and destination addresses) returned to the PC in the local network. That is, the PCs think that they cling to the browser on 192.168.1.4. And 192.168.1.4 fixes and transfers packets to www.yandex.ru and back ... It is necessary that this works on the Network layer of the OSI model. Note: The site www.yandex.ru is taken as an example.
Blademoon blademoon
6 3 bronze marks
- oneSo what's your problem? More like a learning task. - Dex
|
1 answer
For such a case, you do not need
- Use the PREROUTING chain, where using DNAT, replace the recipient's IP (on the local network) with Yandex IP (on the global), without forgetting to specify a filter for the port and the source (of your PC group), if necessary
- Use the POSTROUTING chain, where with SNAT you can replace the source IP with the IP address of your server, but already external, here you can only filter on port 80
Thus, having passed two rules, the package will be completely transformed from local to global, on the way back everything will be the opposite.
Dex dex
8,630 3 gold marks 28 silver marks 57 bronze marks
|