I have 1 host server as NAT server, it has public domain name example.com tied to its public IP address PUB_IP_ADD.
I have another web server behind NAT with IP address 192.168.1.100 and port forwarding rules is done on the host server:
-A PREROUTING -i eth0 -p tcp -m tcp –dport 80 -j DNAT –to-destination 192.168.1.100:80
I have some other servers behind NAT with fixed ip address range 192.168.1.101-110 and the masquerade rules are done for the whole 192.168.1.0/24 range:
-A POSTROUTING -s 192.168.1.0/24 -o vmbr0 -j MASQUERADE
the above rules can let my servers behind NAT access internet. (download and ping public ips).
My web page can be accessed from the internet by visiting example.com but cannot be accessed from inside the NAT network in those 192.168.1.0/24 by using the same domain name or host server ip address.
I wonder, why the web server behind the NAT firewall cannot be accessed by its peers by using NAT server domain name or IP?
Do I need to add SNAT rules specifically to the web server and remove the masquerade line?
Best Answer
You may want to use SNAT if you use static IPs as MASQUERADE suffers a penalty as it needs to get the IP address from the network interface.
Also, if you are testing from the firewall computer, it will try to access its own web server instead of the dedicated web server. We need to place a rule in the OUTPUT chain to deal with this case: