[Firewall] transparent dnat timeouts

John Eikenberry jae at zhar.net
Sun Mar 8 02:59:49 CET 2009

Googled and read today and found several discussions of the issue. The
problem seems to be that both the server and client are part of the same
sub-net. So the server tries to send the forwarded packet directly back to
the client instead of routing it back through the firewall [1]. Found a
mostly working solution on a thread referenced off that one with a pair of
rules that work [2]. Here they are hard coded with values from my network I
was testing with.


iptables -t nat -A POSTROUTING -o eth0 -p tcp -s \
    --dport 80 -d -j MASQUERADE

iptables -t nat -A PREROUTING -i eth0 -p tcp -d \
    --dport 80 -j DNAT --to-destination


The second line there is pretty much the same as the one generated by the
tranparent-dnat plugin. The first one is the one that forces it back
through the firewall.

The one issue with this is that all the connections from the internal
network all get logged as if they came from the firewall. The thread where
this was discussed suggested the '-s' bit as a solution to
this but it doesn't seem to help.

While reading about this a lot of people said just to use an internal
nameserver to return your internal ip of the server for the domain instead
of the real external ip. This would work for me as I have all the port
forwarded services running on the same machine and I already have an
internal nameserver. But it seems like this could cause problems, though I
have a hard time putting my finger on anything in particular. Any down side
to this? Which would you do?


[1] http://forums.whirlpool.net.au/forum-replies.cfm?t=516165&r=7892983#r7892983
[2] http://forums.whirlpool.net.au/forum-replies.cfm?t=505897


John Eikenberry
[jae at zhar.net - http://zhar.net]
[PGP public key @ http://zhar.net/jae_at_zhar_net.gpg]
"Perfection is attained, not when no more can be added, but when no more 
 can be removed." -- Antoine de Saint-Exupery
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20090307/e6c9eb24/attachment.pgp>

More information about the Firewall mailing list