Using iptables to foward vnc SOLVED-ish
Kenneth Porter
shiva at sewingwitch.com
Fri Sep 17 00:27:36 UTC 2004
--On Friday, September 17, 2004 9:43 AM +1000 Michael Hart
<mixstat at bigpond.net.au> wrote:
> How is any internet connection working through the gateway without SNAT
> or MASQUERADE? I thought this was required for all protocols?
>
> Basically any connection going out from an internal machine would have
> to be SNATed to your real internet address so the box at the other end
> knows the right internet (not lan) source IP to send responses to.
The issue is that he's trying to do "one-armed" NAT. Most of us are
familiar with NAT on a multi-homed system: The packets come in through one
interface and get NAT'd before going out the other one. He's trying to also
NAT from an interface to itself, but the reply packets aren't going through
the gateway. Instead, they go direct to the originating client and confuse
it.
It's still a routing issue. The routing table on the server tells it that
it can send the replies direct. One solution is to run two subnets on the
same LAN, with the client in one subnet and the server in the other. The
gateway would have a virtual interface defined for the second subnet. This
forces the server to send the replies to the gateway.
More information about the fedora-list
mailing list