Access a local server from the firewall's public IP

Hello all,

I'm configuring a DNS firewall and I got stuck in the following situation: one of my teammates must access a local server (192.168.1.2:10100) but he must do it using the firewall's public IP (say, 200.221.1.21). I ran ping over those IPs and all seems to be working fine.
I tried the following code in nat's PREROUTING chain:

Code:

---

$IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE -o $INET_IFACE -d $INET_IP --dport 10100 -j DNAT --to-destination 192.168.1.2

---

In the POSTROUTING:

Code:

---

$IPTABLES -t nat -A POSTROUTING -p TCP -o $LAN_IFACE --dport 10100 -j SNAT --to-source LAN_IP

---

$IPTABLES = /usr/sbin/iptables
LAN_IFACE = eth1
INET_IFACE = eth0
INET_IP = Firewall's public IP
LAN_IP = 192.168.1.1 (Firewall's private IP)

Also, I tried adding the port to the server's host, like 192.168.1.2:10100 or --sport 10100 (in the POSTROUTING) but that didn't work either
I'm not a linux hacker but a hard worker and I'm really trying my best to find a solution to this (searching google for about 6~7 hours now)
Anyway, thanks in advance :)

In your post routing you have posted:

...--to-source LAN_IP

In your actual rule have you got $LAN_IP?

Hi Kieren,

Thanks for the reply.
Actually that was my fault. In the script I'm using the IP in the form xxx.xxx.xxx.xxx.
Cya :p

Hello all,
Anyone has got any ideas how to solve such problem :confused:? Still couldn't realize what do.
Should I write those rules in INPUT and OUTPUT chains (as I'm dealing with firewall's IP)?
Thanks in advance

Sorry, from your reply I thought you had fixed it.

Your rules look okay to me. In your prerouting chain you have "-i $LAN_IFACE". This means you're expecting the request to come in on the NATs eth1 device. Are you sure you're not meant to have the input device as eth0?

Hi Kieren,

Indeed, I've solved the problem: thing is, I wasn't updating the previous applied rules, so things would be pretty messy after some time.
Thanks for replying and have a nice day all :p