Archive for the tag 'LAN'

SBDavid
Oct 14th, 2009

iptables rule for routing outside the range of the LAN

iptables rule for routing outside the range of the LAN.

LAN range - 192.168.1.0/24
Outside LAN IP - 10.0.4.2

To set a rule for routing incoming HTTP requests to a dedicated HTTP server at 10.0.4.2 (outside of the 192.168.1.0/24 range of the LAN), NAT calls a PREROUTING table to forward the packets to their proper destination:

iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to-destination 10.0.4.2:80

iptables rules can be set to route traffic to certain machines, such as a dedicated HTTP or FTP server, in a demilitarized zone (DMZ) — a special local subnetwork dedicated to providing services on a public carrier such as the Internet.

With this command, all HTTP connections to port 80 from the outside of the LAN are routed to the HTTP server on a separate network from the rest of the internal network. This form of net work segmentation can prove safer than allowing HTTP connections to a machine on the network. If the HTTP server is configured to accept secure connections, then port 443 must be forwarded as well.