[Firehol-support] Can dnat from a non-gateway firewall work with FireHOL/iptables rules?
whit at transpect.com
Wed Jul 30 01:17:20 BST 2014
I've got a situation where there's more than one firewall on the
public-facing edge of a LAN, each with multiple public IPs. Passing through
traffic to, say, a mail or web server within the LAN generally works with
iptables and a combination of dnat and snat, as long as the default gateway
for the internal machines is firewall receiving the traffic. The traffic
comes in at the external IP, gets dnat'ed to an internal IP, which sends to
reply traffic back to the gateway, which can SNAT it to the same IP it came
in on based on the IP and port of the internal server it's coming from.
For the firewalls which are not the LAN's default gateway though I haven't
found the iptables combination that will handle this. It's trivial to port
forward in this situation with a utility like pound or xinetd, either of
which will readdress the incoming packets so that they go back out exactly
as they came in. Then from the POV of iptables it's just a local service on
But I can't help thinking it would be more efficient if it can be set up
with iptables handling the whole thing. Also, with xinetd at least the
method causes packets arriving at the internal server to have the apparent
internal IP of the firewall rather than the real remote IP, which is
decidedly less useful in the server logs there.
Obviously this is an unusual setup. Maybe a perfect solution doesn't exist?
More information about the Firehol-support