[Firewall] Port forwarding and Transparent DNAT question

Andy Brown andy at thebmwz3.co.uk
Mon Nov 5 08:48:35 MST 2007

Cheers for the effort as always :)

Unfortunately not, I modified that line as it initially failed, so trying:

iptables -t nat -A PREROUTING -d -p tcp --dport 25 -j DNAT 

Still no luck with that unfortunately.


Arno van Amersfoort wrote:
> And if you try:
> iptables -t nat -A PREROUTING -d --dport 25 -j DNAT 
> --to-destination
> Does this fix the problem?
> If so, I need to update the plugin, so please let me know your findings.
> a.
> Andy wrote:
>> Hi all,
>> Having come back to the scripts from using pfsense, due to it being very 
>> inflexible and several problems with ipsec VPNs, I'm using these 
>> excellent scripts.
>> I do have one query, I'm using the transparent DNAT and cannot quite get 
>> it to do what I want.
>> My firewall is on external for example and internal IP
>> My LAN server is on
>> So my firewall points port 80 25 and 143 to via NAT rules.
>> Now, I have added in transparent DNAT as I'd like to be able to connect 
>> to port 143 whilst internal to my network. My dnat settings are:
>> DNAT_TCP_PORTS="25,80,143"
>> I have also tried setting my internal IP to and still no luck.
>> Trying things manually, if I paste a rule:
>> iptables -t nat -A OUTPUT -d -p tcp --dport 25 -j DNAT 
>> --to-destination
>> Then try connecting, I've noticed this in my kernel logs:
>> Nov  4 20:46:17 voyage kernel: NAT: no longer support implicit source 
>> local NAT
>> Nov  4 20:46:17 voyage kernel: NAT: packet src -> dst
>> Which looks bad, is this something that has changed and causes 
>> transparent DNAT not to work anymore with these kernels??
>> Any adbvice please guys? I'd rather not have to put an internal DNS 
>> intercept/hack to solve this problem if at all possible :)

More information about the Firewall mailing list