LAN_BOKH. 2. enters the fire wall. e. is produced the substitution of the address of designation; however, the address of sender does not substitute, i.e., initial address remains in the packet without the change. ya. packet leaves fire wall and leaves to HTTP server. 5. HTTP server, being prepared for the sending of answer, reveals that the client is situated in the local network (since the packet of demand contained the original IP address, which now became the address of designation) and therefore is sent packet directly to $LAN_BOKH. ‘. packet enters $LAN_BOKH. Client “is confused”, since the answer arrived not from that knot, for which left the demand. Therefore client “discards” the packet of answer and continues to await “present” answer.Problema is solved sufficiently simply with the aid of SNAT. The rule, which fulfills this function, is given below. This rule forces HTTP server to transfer the answers to our fire wall, which then will be transmitted to client. iptables -.t nat -.A POSTROUTING -.p tcp -.dst $YUTTP_IP of -.dport 80 -.j SNAT \ to -.to-sourche of $LAN_IPyouZapomnite, chain POSTROUTING is processed by latter itself and up to this moment the packet already passed the procedure of conversion DNAT; therefore cri

et equal of $EKHT_BOKH. y. packet leaves client knot with the address of $EKHT_BOKH and it is directed to $INET_IP 2. packet comes to our fire wall. e. fire wall, in accordance with the rule given above, substitutes the address of designation and transfers it further, into other chains. ya. packet is transferred to $YUTTP_IP. Paket it enters to HTTP server and server transfers the answer through the fire wall, if in the table of routing he is designated as sluice for $EKHT_BOKH. As a rule, he is assigned sluice to on- silence for HTTP of server. shch. fire wall produces the reverse substitution of address in the packet, now everything appears in the manner that supposedly packet was formed on the fire wall. ‘. packet is transferred to the client of $EKHT_BOKH. “. A now let us look, which will occur, if demand is sent from the knot, located in the same local network. For simplicity of account let us accept the address of client in the local network equal of $LAN_BOKH. y. packet leaves $

col TCP or UDP, with the presence of the option of -.protochol in the criterion.Deystviye DNAT sufficiently complicatedly in the use requires the sidelight. Let us examine a simple example. is WEB server and we want to permit access to it from the Internet. We have only one real IP address, and WEB- server is located in the local network. The real IP address of $INET_IP is assigned to fire wall, HTTP server has the local address of $YUTTP_IP and, finally fire wall has local alres of $LAN_IP. For the beginning let us add simple rule into chain PREROUTING of table nat: iptables -.t nat -.A PREROUTING -.dst $INET_IP -.p tcp -.dport 80 -.j DNAT \ -.to-destination of $YUTTP_IP V correspondence with this rule, all packets, which enter the eightieth port of the address of $INET_IP perenapravlyayutsya on our internal WEB- server. If we now be turn ourselves to WEB- server from the Internet, then everything will work wonderfully. However, but which will occur, if we try to be connected with it from the local network? Connection simply will not be established. Give let us look as tyuey marshrutiziruyutsya the packets, which go from the Internet on our WEB- server. For simplicity of account let us accept the address of client into the Intern