[Firehol-support] Re: DNAT not working where inface and outface are the same
Thomas Arendsen Hein
thomas at intevation.de
Thu Oct 13 07:45:29 BST 2005
* Carlos Rodrigues <carlos.efr at mail.telepac.pt> [20051012 22:09]:
> The router where both interfaces are the same is needed after all, and
> an SNAT rule (the reverse of the DNAT) is also needed (to prevent both
> machines on the same LAN from talking directly to each other).
>
> Altough it is working now, I would prefer if the SNAT was only applied
> when the inface is the one on the LAN where the target host resides, but
> I can't seem to do this... I declare this:
>
> dnat to ${target} dst ${public_address}
> snat to ${public_address} dst ${target} inface ${lan_iface}
>
> But FireHOL says the "inface" will be overriden with "any", thus
> activating the SNAT whichever interface the packets are coming.
I have this snat rule my firehol.conf:
snat to "$intip" outface "$intif" src "$intnet" dst "$intnet"
$public_address should work instead of $intip, too, but I thought
this to be cleaner.
Speaking of cleaner ... now I'm using a split DNS (using views in
bind9) setup, so LAN clients talk directly to the local IPs of the
machines, so this SNAT rules aren't really used now.
Thomas
--
Email: thomas at intevation.de
http://intevation.de/~thomas/
More information about the Firehol-support
mailing list