[Firewall] transparent dnat timeouts

Mark van Dijk mark at voidzero.net
Wed Mar 11 14:45:00 CET 2009


I am using this on my LAN. I have three LAN interfaces; eth1, eth2 and eth3.
Eth3 is wireless and thus there is a router. I simply use NAT to route
eth1/eth2
clients and mimic my router's access.

Mark

> IMO this solution looks fine. I don't see any real downside of it, and 
> isn't this what you wanted: having the clients connect to the server 
> as-if they connect from the outside? I'm even thinking about 
> implementing this into the dnat plugin too as the concept is pretty
good....
> 
> a.
> 
> John Eikenberry wrote:
>> Googled and read today and found several discussions of the issue. The
>> problem seems to be that both the server and client are part of the same
>> sub-net. So the server tries to send the forwarded packet directly back
to
>> the client instead of routing it back through the firewall [1]. Found a
>> mostly working solution on a thread referenced off that one with a pair
of
>> rules that work [2]. Here they are hard coded with values from my network
I
>> was testing with.
>> 
>> -----
>> 
>> iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 \
>> --dport 80 -d 192.168.1.4 -j MASQUERADE
>> 
>> iptables -t nat -A PREROUTING -i eth0 -p tcp -d 68.118.117.234 \
>> --dport 80 -j DNAT --to-destination 192.168.1.4
>> 
>> -----
>> 
>> The second line there is pretty much the same as the one generated by the
>> tranparent-dnat plugin. The first one is the one that forces it back
>> through the firewall.
>> 
>> The one issue with this is that all the connections from the internal
>> network all get logged as if they came from the firewall. The thread
where
>> this was discussed suggested the '-s 192.168.1.0/24' bit as a solution to
>> this but it doesn't seem to help.
>> 
>> While reading about this a lot of people said just to use an internal
>> nameserver to return your internal ip of the server for the domain
instead
>> of the real external ip. This would work for me as I have all the port
>> forwarded services running on the same machine and I already have an
>> internal nameserver. But it seems like this could cause problems, though
I
>> have a hard time putting my finger on anything in particular. Any down
side
>> to this? Which would you do?
>> 
>> Thanks.
>> 
>> [1] 
>> http://forums.whirlpool.net.au/forum-replies.cfm?t=516165&r=789298
>> 3#r7892983
>> [2] http://forums.whirlpool.net.au/forum-replies.cfm?t=505897
>>




More information about the Firewall mailing list