Andy wrote:
> This last one should read: > iptables -t nat -A POSTROUTING -p tcp --sport 80 -s 65.114.4.69 \ > -j SNAT --to-source <your external IP address on this machine>
NO! that doesn't make sense. In http/https connections, the source port is an arbitrary high port, and the _destination_ port is 80/443.
From the viewpoint of the client yes. But this is the server that should be natted (if not: again my apologies. As stated in my original reply I haven't followed this thread and gave the answer to what I assumed to be the question). The source-port from the server is 80/443.
Traffic from the client arriving at the gateway must be forwarded to the web server.
Therefore you'll need PREROUTING rules having destination-port 80/443 and change to destination to the IP-address of the web server.
Replies coming from the web server must change it's source IP. Those packets have source-ports 80/443 and go in POSTROUTING.
The above line will do that correctly for HTTP.
In order to forward the https trafic either change "80" to "443" end up with 4 lines, 2 PREROUTING and 2 POSTROUTING or use the multiport extension: "-m multiport --dports 80,443" in both lines of the original example.
And on this we agree :)
-- Regards, Andre
