[Firewall] transparent dnat timeouts
Mark van Dijk
mark at voidzero.net
Wed Mar 11 14:45:00 CET 2009
I am using this on my LAN. I have three LAN interfaces; eth1, eth2 and eth3.
Eth3 is wireless and thus there is a router. I simply use NAT to route
clients and mimic my router's access.
> IMO this solution looks fine. I don't see any real downside of it, and
> isn't this what you wanted: having the clients connect to the server
> as-if they connect from the outside? I'm even thinking about
> implementing this into the dnat plugin too as the concept is pretty
> John Eikenberry wrote:
>> Googled and read today and found several discussions of the issue. The
>> problem seems to be that both the server and client are part of the same
>> sub-net. So the server tries to send the forwarded packet directly back
>> the client instead of routing it back through the firewall . Found a
>> mostly working solution on a thread referenced off that one with a pair
>> rules that work . Here they are hard coded with values from my network
>> was testing with.
>> iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 \
>> --dport 80 -d 192.168.1.4 -j MASQUERADE
>> iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.127.116.11 \
>> --dport 80 -j DNAT --to-destination 192.168.1.4
>> The second line there is pretty much the same as the one generated by the
>> tranparent-dnat plugin. The first one is the one that forces it back
>> through the firewall.
>> The one issue with this is that all the connections from the internal
>> network all get logged as if they came from the firewall. The thread
>> this was discussed suggested the '-s 192.168.1.0/24' bit as a solution to
>> this but it doesn't seem to help.
>> While reading about this a lot of people said just to use an internal
>> nameserver to return your internal ip of the server for the domain
>> of the real external ip. This would work for me as I have all the port
>> forwarded services running on the same machine and I already have an
>> internal nameserver. But it seems like this could cause problems, though
>> have a hard time putting my finger on anything in particular. Any down
>> to this? Which would you do?
>>  http://forums.whirlpool.net.au/forum-replies.cfm?t=505897
More information about the Firewall