Re: SNAT & DNAT

[Clayton Russell <clayton.russell@vector.net.au>]

Lee Evans wrote:
> Hi,
> 
> Sorry if this has been asked before in some other guise - I looked through
> the archives but couldn't spot anything (or a search feature..)
> 
> I'm going to be implementing a gateway system using IPTables, which will
> need to perform both DNAT & SNAT on incoming connections.
> 
> The reason being that I want to provide external access to systems on a LAN
> which do not have a default gateway (and nor do I want them to have one).
> 
> The connections will come in to the public IP of the gateway and be DNAT'ed
> to the internal IP PREROUTING, and then SNAT'ed to the gateway's private IP
> POSTROUTING so that the internal systems have a route out for reply traffic.
> 
> I've tested this on a small test-network but before I try to roll it out on
> a larger scale, are there any issues with doing this that I should be aware
> of?
> 
> Thanks
> Lee
> 
> 
Hi Lee,

I have had problems with this in the past with strange protocols which 
the connection tracking does not recognise as related.  For example, xdm 
over this arrangment has some initial udp communication to organise the 
X connection, then the client side (LAN in your case) initiates a TCP 
connection to the server.  In this scenario the fw does not recognise 
the tcp connection as related to the udp connection, and does not know 
how to NAT this packet.

This is a fairly strange example though, things like telnet, web etc all 
worked fine.

Hope this helps,
Clayton

-- 
Clayton Russell
Systems Administrator
Vector Networks Pty Ltd
em: clayton.russell@vector.net.au
wb: www.vector.net.au
ph: +61 7 3236 9328