iptables

vikram.anumukonda · 06-16-2008, 01:49 AM

Hello , Can someone pls tell me how to make my Linux Firewall respond to ARP Requests when configured for DNAT.

-A PREROUTING -d <<public-ip>> -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.10
-A PREROUTING -d <<public-ip>> -i eth1 -p icmp -j DNAT --to-destination 192.168.1.10
-A PREROUTING -d <<public-ip>> -p tcp -m tcp --dport 23 -j DNAT --to-destination 192.168.1.10
-A PREROUTING -d <<public-ip>> -p tcp -m tcp --dport 20:21 -j DNAT --to-destination 192.168.1.10

Thanks,
Vikram

dkm999 · 06-16-2008, 11:58 PM

The firewall has very little to do with ARP, which is a low-level protocol that appears on Ethernet segments. On the public side of your firewall, any ARP request for your public-side IP address ought to be answered with the Ethernet address (6-bytes) of your public-side interface.

On the private side (your 192.168.1.x net), ARP requests for the private-side IP address should likewise be answered with the Ethernet address of the private-side interface.

The firewall machine should NOT (and will not) answer ARP requests on the private side for public IP addresses. In order for traffic to flow through the firewall to the public Internet, you need to specify a default route in each of the systems on the private net (except the firewall); that default route should specify the private-side address of the firewall as the gateway.

In a similar fashion, the firewall machine will not answer ARP requests on the public-side which ask for resolution of a private-side address. The situation is a little different on this side, because the Private Networking addresses (192.168.x.y) should never appear on the public Internet. Any public router that receives a packet containing such an address will discard it. Therefore, you will probably never see an ARP for a 192.168.1.x address on your public interface.

vikram.anumukonda · 06-17-2008, 07:32 AM

Think , i found the solution

need to execute the following commands

ip route add nat <<public ip>> via 192.168.1.10
ip rule add nat <<public ip>> from 192.168.1.10

below are the links that give a clear explanation of issues with DNAT & ARP

http://linux-ip.net/html/nat-dnat.html

http://linux-ip.net/html/nat-statele...-stateless-arp

babel17 · 09-29-2008, 04:07 PM

OK, I spent to days trying solve this same problem. Since I was using the 2.6 kernel, I couldn't use Vikram's 'accidental' proxy arp solution. It turns out that in all of the tutorials on DNAT that I found, they either neglected to mention, or I failed to notice (probably the latter), that you need to bind the public address that you are DNATing to the public interface of the firewall.

Using Vikram's example, at some point you need to execute:

ip addr add <<PUBLIC_IP>> dev <<firewall_external_interface>>

Gaaaah. This drove me mad for days!