iptables - DNAT / ARP issues

**vikram.anumukonda** · 06-16-2008

--------------------------------------------------------------------------------

Hello , Can someone pls tell me how to make my Linux Firewall respond to ARP Requests when configured for DNAT.

-A PREROUTING -d <<public-ip>> -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.10
-A PREROUTING -d <<public-ip>> -i eth1 -p icmp -j DNAT --to-destination 192.168.1.10
-A PREROUTING -d <<public-ip>> -p tcp -m tcp --dport 23 -j DNAT --to-destination 192.168.1.10
-A PREROUTING -d <<public-ip>> -p tcp -m tcp --dport 20:21 -j DNAT --to-destination 192.168.1.10

Thanks,
Vikram

**Swagata Paul** · 06-16-2008

hi,

Did you configured ur Linux Box as router?

plz check the file /etc/sysctl.conf,

& verify net.ipv4.ip_forward = 1
[Default value is 0 ]

--
Swagato

**vikram.anumukonda** · 06-16-2008

I did configure the box as linux router , the routing, SNAT is working perfectly fine excpet for the DNAT.

when a request comes in from internet for the DNAT ip address , all i can see in "tcpdump" is a arp-request for who-is x.x.x.x and the firewall does not respond to that .

Thanks,
Vikram

**Swagata Paul** · 06-16-2008

Please send me the last 20 lines of your log file /var/log/messages, just after the remote request.

-- Swagato

**vikram.anumukonda** · 06-17-2008

Think , i found the solution

need to execute the following commands

ip route add nat <<public ip>> via 192.168.1.10
ip rule add nat <<public ip>> from 192.168.1.10

below are the links that give a clear explanation of issues with DNAT & ARP

5.5.Â Destination NAT with netfilter (DNAT)

5.3.Â Stateless NAT with iproute2

Thread Tools

Display