Hi,
Sorry if this has been asked before in some other guise - I looked through the archives but couldn't spot anything (or a search feature..)
I'm going to be implementing a gateway system using IPTables, which will need to perform both DNAT & SNAT on incoming connections.
The reason being that I want to provide external access to systems on a LAN which do not have a default gateway (and nor do I want them to have one).
The connections will come in to the public IP of the gateway and be DNAT'ed to the internal IP PREROUTING, and then SNAT'ed to the gateway's private IP POSTROUTING so that the internal systems have a route out for reply traffic.
I've tested this on a small test-network but before I try to roll it out on a larger scale, are there any issues with doing this that I should be aware of?
Thanks Lee
Hi Lee,
I have had problems with this in the past with strange protocols which the connection tracking does not recognise as related. For example, xdm over this arrangment has some initial udp communication to organise the X connection, then the client side (LAN in your case) initiates a TCP connection to the server. In this scenario the fw does not recognise the tcp connection as related to the udp connection, and does not know how to NAT this packet.
This is a fairly strange example though, things like telnet, web etc all worked fine.
Hope this helps, Clayton
-- Clayton Russell Systems Administrator Vector Networks Pty Ltd em: clayton.russell@xxxxxxxxxxxxx wb: www.vector.net.au ph: +61 7 3236 9328
