- Recently, there have been people asking this question, how come no one asked before, now so many people ask? Two days ago I also in the Huawei Forum carefully said this question, now copied to this side. I hope to help you understand the problem.
- This is a theoretical question, we start with NAT: There are two basic types of NAT, one is Snat (Source NAT) and the other is Dnat (Dest. NAT). Snat-source NAT is the source IP address that changes the IP layer of the packet, which is generally used to convert illegal IP out-of-Office requests into legitimate IP out-of-office requests, it is common to use one or several legitimate IP to drive an entire illicit IP segment access. Dnat is the purpose of NAT, which is to change the destination IP address of the packet, so that the packet can be redirected, can be used as load balancer or to redirect external service requests to the network's illegal IP server.
- Well, wordy, that's roughly the case. The reason why the external IP address of the Dnat service cannot be accessed in Dnat's internal network is because, if the service requests from inside, after the Dnat conversion, the target IP is rewritten into the IP address of the intranet, such as 172.16.10.254, and the IP of the requesting machine is 172.16.10.100, the packet is successfully redirected by the gateway 172.16.10.1 to the 172.16.10.254 service port, and then 192.16.10.254 sends a response to the destination IP address based on the request, which is 172.16.10.100, however, The problem arises because the 172.16.10.100 request address is the external IP assumption is 221.232.34.56, so he waits for the 221.232.34.56 response, and the 172.16.10.254 response request is considered illegal and discarded. That's where the problem lies.
- Oh, write a bit confusing, sorry. I don't know if you understand. So how to solve this problem, I say a iptables implementation of the example,
- #我们先把发向外网IP221.232.34.56 Port 80th data redirection to 172.16.10.254 in theory, if you only access from the extranet, this is done.
- Iptables-t nat-a prerouting-p tcp-d 221.232.34.56--dport 80-j DNAT--to-destination 172. 16.10.254
- #解决内网通过外网IP访问的情况
- Iptables-t nat-a postrouting-p tcp-d 172.16.10.254--dport 80-j SNAT--to-source 172.16.1 0.1
- We forcibly send the intranet request back to the gateway 172.16.10.1, relying on the gateway in the kernel established state table and then forwarded to the real request address 172.16.10.100.
- Of course, this is not the best solution, the best solution is to put the server in another network segment, that is, the so-called DMZ (disarm zone), so there is no problem mentioned above.
- If you are not sure, give us a reference document:
- Http://iptables-tutorial.frozentux.net/iptables-tutorial.html#DNATTARGET
After iptables, extranet access website can, intranet cannot access "resolved"
