[Firewall] transparent dnat timeouts

Mark van Dijk mark at voidzero.net
Wed Mar 11 14:45:00 CET 2009

I am using this on my LAN. I have three LAN interfaces; eth1, eth2 and eth3.
Eth3 is wireless and thus there is a router. I simply use NAT to route
clients and mimic my router's access.


> IMO this solution looks fine. I don't see any real downside of it, and 
> isn't this what you wanted: having the clients connect to the server 
> as-if they connect from the outside? I'm even thinking about 
> implementing this into the dnat plugin too as the concept is pretty
> a.
> John Eikenberry wrote:
>> Googled and read today and found several discussions of the issue. The
>> problem seems to be that both the server and client are part of the same
>> sub-net. So the server tries to send the forwarded packet directly back
>> the client instead of routing it back through the firewall [1]. Found a
>> mostly working solution on a thread referenced off that one with a pair
>> rules that work [2]. Here they are hard coded with values from my network
>> was testing with.
>> -----
>> iptables -t nat -A POSTROUTING -o eth0 -p tcp -s \
>> --dport 80 -d -j MASQUERADE
>> iptables -t nat -A PREROUTING -i eth0 -p tcp -d \
>> --dport 80 -j DNAT --to-destination
>> -----
>> The second line there is pretty much the same as the one generated by the
>> tranparent-dnat plugin. The first one is the one that forces it back
>> through the firewall.
>> The one issue with this is that all the connections from the internal
>> network all get logged as if they came from the firewall. The thread
>> this was discussed suggested the '-s' bit as a solution to
>> this but it doesn't seem to help.
>> While reading about this a lot of people said just to use an internal
>> nameserver to return your internal ip of the server for the domain
>> of the real external ip. This would work for me as I have all the port
>> forwarded services running on the same machine and I already have an
>> internal nameserver. But it seems like this could cause problems, though
>> have a hard time putting my finger on anything in particular. Any down
>> to this? Which would you do?
>> Thanks.
>> [1] 
>> http://forums.whirlpool.net.au/forum-replies.cfm?t=516165&r=789298
>> 3#r7892983
>> [2] http://forums.whirlpool.net.au/forum-replies.cfm?t=505897

More information about the Firewall mailing list