[Firehol-support] Re: DNAT not working where inface and outface are the same

Carlos Rodrigues carlos.efr at mail.telepac.pt
Wed Oct 12 22:08:19 CEST 2005


Hi again!

Ok, I figured it out (the target machine was replying directly to the 
client, which dropped the packets because it didn't recognize them from 
coming from the redirected address).

The router where both interfaces are the same is needed after all, and 
an SNAT rule (the reverse of the DNAT) is also needed (to prevent both 
machines on the same LAN from talking directly to each other).

Altough it is working now, I would prefer if the SNAT was only applied 
when the inface is the one on the LAN where the target host resides, but 
I can't seem to do this... I declare this:

   dnat to ${target} dst ${public_address}
   snat to ${public_address} dst ${target} inface ${lan_iface}

But FireHOL says the "inface" will be overriden with "any", thus 
activating the SNAT whichever interface the packets are coming.

Thanks,

Carlos Rodrigues


Carlos Rodrigues wrote:
> I have a firewall connected to several LANs with NAT, and I need to have
> some machines on one of the the LANs accessible from the outside. For
> that I set up some interface aliases with public addresses and some DNAT
> rules (without an explicit "inface") redirecting those addresses to the
> internal machines (along with some accept rules in the proper "router"
> blocks).
> 
> This works fine when on tries to connect to those public addresses from
> the outside, or from one of the other LANs, but doesn't work when the
> connection comes from the LAN where the target of the DNAT is (let's
> say, users using a fully qualified DNS name that is associated with the
> public address, instead of the internal name).
> 
> In other words, the DNAT works when the in and out interfaces are
> different, but doesn't work when they are the same.
> 
> What can be done to work around this problem?
> 
> I've even tried to set up a "router" block where the inface and outface
> are the same, but that doesn't seem to do a thing...




More information about the Firehol-support mailing list