From: Joel Newkirk <firewalldude@newkirk.us>
To: test@seaconindia.com
Cc: netfilter@lists.netfilter.org
Subject: Re: DNAT Problem
Date: Mon, 19 Apr 2004 09:43:01 -0400 [thread overview]
Message-ID: <4083D765.7000000@newkirk.us> (raw)
In-Reply-To: <1611.80.0.0.23.1082351242.squirrel@80.0.0.175>
test@seaconindia.com wrote:
>Hi All
>
>I am new to Iptables & Firewall. I have 2 servers (web & email) running
>behind firewall. I have DNAT rule on my firewall, so any request hitting
>on port 25, 80, 110 are DNAT to internal servers. Inturn my internal
>servers (web & email) feel these requests were received from firewall ie
>internal ip and can be trusted.
>
>I want these DNAT request to be forward with their original ip address and
>not as coming from firewall ip.
>
>Please advice my firewall rule is as follows :
>
>iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 25 -j DNAT --to
>192.168.0.175:25
>
>Regards
>
>Joel
>
The way DNAT works it changes ONLY the Destination IP, not the Source
IP, so the packets WILL still appear to be from the original source. If
you are NOT seeing them as such, then you have a SNAT rule affecting
them, perhaps something like:
iptables -t nat -A POSTROUTING -j MASQUERADE
or
iptables -t nat -A POSTROUTING -j SNAT --to 192.168.0.254
The solution, if this is the case, is to tie the MASQUERADE or SNAT rule
to a particular interface:
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
And make sure that if for some reason you DO need to SNAT traffic from
the firewall inward (out the 'private' nic), you can restrict that
action to particular source IPs or networks (-s a.b.c.d) etc to ensure
that /only/ the traffic you need to have a different source IP will in
fact get one.
Note that this will prevent computers on the LAN from reaching these
servers at their public IPs. (client connects to public IP, which is
firewall, which DNATs traffic back to LAN IP of server, which tries to
reply directly to client awaiting reply from public IP) If you need to
connect to the local servers, you either need to use the local IPs, or
use a SNAT like:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT --to
192.168.0.254
This way, the ONLY traffic from the firewall to the LAN that is SNATted
is traffic that came from the LAN originally - in most cases, this is
the only SNAT that should be performed on the 'local' interface of the
firewall.
j
next prev parent reply other threads:[~2004-04-19 13:43 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-19 5:07 DNAT Problem test
2004-04-19 13:43 ` Joel Newkirk [this message]
2004-04-20 4:31 ` test
2004-04-22 10:40 ` test
2004-04-22 11:07 ` Antony Stone
[not found] ` <1589.80.0.0.23.1082637754.squirrel@80.0.0.175>
2004-04-22 12:47 ` Antony Stone
2004-04-22 13:06 ` test
2004-04-22 13:21 ` Antony Stone
2004-04-22 18:18 ` test
2004-04-22 19:13 ` Antony Stone
2004-04-23 12:22 ` test
[not found] <45227670.8040702@mail.nankai.edu.cn>
2006-10-03 14:48 ` DNAT problem Marco Berizzi
[not found] <4521C6A3.1040902@mail.nankai.edu.cn>
2006-10-03 10:11 ` Marco Berizzi
-- strict thread matches above, loose matches on Subject: below --
2006-10-02 8:00 Stefan Friedel
2006-10-02 8:25 ` Marco Berizzi
2006-10-02 10:42 ` Pascal Hambourg
2006-10-02 12:01 ` Stefan Friedel
2006-10-02 12:51 ` Marco Berizzi
2006-10-02 13:14 ` Pascal Hambourg
2006-10-02 14:18 ` Stefan Friedel
2006-10-02 12:48 ` Marco Berizzi
2006-07-08 21:00 Antonio Di Bacco
2005-01-22 15:59 dnat problem Pablo Allietti
2005-01-22 19:45 ` Jason Opperisano
2005-01-23 0:26 ` Pablo Allietti
[not found] ` <20050125150114.GA25839@omega.lacnic.net.uy>
2005-01-25 15:24 ` Pablo Allietti
2005-01-25 15:25 ` Pablo Allietti
2004-06-10 11:03 DNAT problem Paul M. Goorskis
2004-05-29 15:25 Patrick Leslie Polzer
2004-05-29 15:36 ` Alexis
2004-05-29 16:03 ` Patrick Leslie Polzer
2004-05-30 1:00 ` Alexis
2004-04-27 5:57 [Fwd: Re: DNAT Problem] test
2004-04-27 7:20 ` DNAT Problem Rob Sterenborg
[not found] ` <1081.80.0.0.23.1083127867.squirrel@80.0.0.175>
[not found] ` <000901c42cef$68603d40$1202a8c0@admin>
2004-05-04 5:32 ` test
2003-03-30 14:58 DNAT problem Alexandru Coseru
2003-03-30 15:41 ` Joel Newkirk
2002-11-27 19:28 Geoff Silver
2002-11-19 8:07 HCLFM
2002-11-21 21:53 ` Rahul Jadhav
2002-05-21 20:53 dnat problem support
2002-06-13 17:28 ` Antony Stone
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4083D765.7000000@newkirk.us \
--to=firewalldude@newkirk.us \
--cc=netfilter@lists.netfilter.org \
--cc=test@seaconindia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.