[Firehol-support] Re: DNAT not working where inface and outface are the same

Thomas Arendsen Hein thomas at intevation.de
Thu Oct 13 07:45:29 BST 2005

* Carlos Rodrigues <carlos.efr at mail.telepac.pt> [20051012 22:09]:
> The router where both interfaces are the same is needed after all, and 
> an SNAT rule (the reverse of the DNAT) is also needed (to prevent both 
> machines on the same LAN from talking directly to each other).
> Altough it is working now, I would prefer if the SNAT was only applied 
> when the inface is the one on the LAN where the target host resides, but 
> I can't seem to do this... I declare this:
>   dnat to ${target} dst ${public_address}
>   snat to ${public_address} dst ${target} inface ${lan_iface}
> But FireHOL says the "inface" will be overriden with "any", thus 
> activating the SNAT whichever interface the packets are coming.

I have this snat rule my firehol.conf:
snat to "$intip" outface "$intif" src "$intnet" dst "$intnet"

$public_address should work instead of $intip, too, but I thought
this to be cleaner.

Speaking of cleaner ... now I'm using a split DNS (using views in
bind9) setup, so LAN clients talk directly to the local IPs of the
machines, so this SNAT rules aren't really used now.


Email: thomas at intevation.de

More information about the Firehol-support mailing list