[Firewall] transparent dnat timeouts

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Wed Mar 11 13:26:25 CET 2009


IMO this solution looks fine. I don't see any real downside of it, and 
isn't this what you wanted: having the clients connect to the server 
as-if they connect from the outside? I'm even thinking about 
implementing this into the dnat plugin too as the concept is pretty good....

a.

John Eikenberry wrote:
> Googled and read today and found several discussions of the issue. The
> problem seems to be that both the server and client are part of the same
> sub-net. So the server tries to send the forwarded packet directly back to
> the client instead of routing it back through the firewall [1]. Found a
> mostly working solution on a thread referenced off that one with a pair of
> rules that work [2]. Here they are hard coded with values from my network I
> was testing with.
> 
> -----
> 
> iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 \
>     --dport 80 -d 192.168.1.4 -j MASQUERADE
> 
> iptables -t nat -A PREROUTING -i eth0 -p tcp -d 68.118.117.234 \
>     --dport 80 -j DNAT --to-destination 192.168.1.4
> 
> -----
> 
> The second line there is pretty much the same as the one generated by the
> tranparent-dnat plugin. The first one is the one that forces it back
> through the firewall.
> 
> The one issue with this is that all the connections from the internal
> network all get logged as if they came from the firewall. The thread where
> this was discussed suggested the '-s 192.168.1.0/24' bit as a solution to
> this but it doesn't seem to help.
> 
> While reading about this a lot of people said just to use an internal
> nameserver to return your internal ip of the server for the domain instead
> of the real external ip. This would work for me as I have all the port
> forwarded services running on the same machine and I already have an
> internal nameserver. But it seems like this could cause problems, though I
> have a hard time putting my finger on anything in particular. Any down side
> to this? Which would you do?
> 
> Thanks.
> 
> [1] http://forums.whirlpool.net.au/forum-replies.cfm?t=516165&r=7892983#r7892983
> [2] http://forums.whirlpool.net.au/forum-replies.cfm?t=505897
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl

-- 
Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
---------------------------------------------------------------------------
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl


More information about the Firewall mailing list