[Firewall] Port forwarding and Transparent DNAT question

Andy Brown andy at thebmwz3.co.uk
Mon Nov 5 08:48:35 MST 2007


Cheers for the effort as always :)

Unfortunately not, I modified that line as it initially failed, so trying:

iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 25 -j DNAT 
--to-destination 192.168.55.1:25

Still no luck with that unfortunately.

Regards,
Andy



Arno van Amersfoort wrote:
> And if you try:
> iptables -t nat -A PREROUTING -d 1.2.3.4 --dport 25 -j DNAT 
> --to-destination 192.168.55.1:25
> 
> Does this fix the problem?
> 
> If so, I need to update the plugin, so please let me know your findings.
> 
> a.
> 
> Andy wrote:
>> Hi all,
>> Having come back to the scripts from using pfsense, due to it being very 
>> inflexible and several problems with ipsec VPNs, I'm using these 
>> excellent scripts.
>> I do have one query, I'm using the transparent DNAT and cannot quite get 
>> it to do what I want.
>>
>> My firewall is on external 1.2.3.4 for example and internal IP 192.168.55.2
>> My LAN server is on 192.168.55.1
>> So my firewall points port 80 25 and 143 to 192.168.55.1 via NAT rules.
>>
>> Now, I have added in transparent DNAT as I'd like to be able to connect 
>> to 1.2.3.4 port 143 whilst internal to my network. My dnat settings are:
>> ENABLED=1
>> DNAT_MY_INTERNAL_IP="192.168.55.2"
>> DNAT_MY_EXTERNAL_IP="195.97.244.58"
>> DNAT_TCP_PORTS="25,80,143"
>> DNAT_UDP_PORTS=""
>>
>> I have also tried setting my internal IP to 192.168.55.1 and still no luck.
>>
>> Trying things manually, if I paste a rule:
>> iptables -t nat -A OUTPUT -d 1.2.3.4 -p tcp --dport 25 -j DNAT 
>> --to-destination 192.168.55.1:25
>>
>> Then try connecting, I've noticed this in my kernel logs:
>>
>> Nov  4 20:46:17 voyage kernel: NAT: no longer support implicit source 
>> local NAT
>> Nov  4 20:46:17 voyage kernel: NAT: packet src 192.168.55.2 -> dst 1.2.3.4
>>
>> Which looks bad, is this something that has changed and causes 
>> transparent DNAT not to work anymore with these kernels??
>>
>> Any adbvice please guys? I'd rather not have to put an internal DNS 
>> intercept/hack to solve this problem if at all possible :)
>>
>>
> 



More information about the Firewall mailing list