LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 06-16-2008, 02:49 AM   #1
vikram.anumukonda
LQ Newbie
 
Registered: Dec 2007
Location: Hyderabad
Distribution: Fedora Core 8
Posts: 12
Blog Entries: 1

Rep: Reputation: 0
iptables - DNAT / ARP issues


Hello , Can someone pls tell me how to make my Linux Firewall respond to ARP Requests when configured for DNAT.


-A PREROUTING -d <<public-ip>> -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.10
-A PREROUTING -d <<public-ip>> -i eth1 -p icmp -j DNAT --to-destination 192.168.1.10
-A PREROUTING -d <<public-ip>> -p tcp -m tcp --dport 23 -j DNAT --to-destination 192.168.1.10
-A PREROUTING -d <<public-ip>> -p tcp -m tcp --dport 20:21 -j DNAT --to-destination 192.168.1.10


Thanks,
Vikram
 
Old 06-17-2008, 12:58 AM   #2
dkm999
Member
 
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 407

Rep: Reputation: 35
The firewall has very little to do with ARP, which is a low-level protocol that appears on Ethernet segments. On the public side of your firewall, any ARP request for your public-side IP address ought to be answered with the Ethernet address (6-bytes) of your public-side interface.

On the private side (your 192.168.1.x net), ARP requests for the private-side IP address should likewise be answered with the Ethernet address of the private-side interface.

The firewall machine should NOT (and will not) answer ARP requests on the private side for public IP addresses. In order for traffic to flow through the firewall to the public Internet, you need to specify a default route in each of the systems on the private net (except the firewall); that default route should specify the private-side address of the firewall as the gateway.

In a similar fashion, the firewall machine will not answer ARP requests on the public-side which ask for resolution of a private-side address. The situation is a little different on this side, because the Private Networking addresses (192.168.x.y) should never appear on the public Internet. Any public router that receives a packet containing such an address will discard it. Therefore, you will probably never see an ARP for a 192.168.1.x address on your public interface.
 
Old 06-17-2008, 08:32 AM   #3
vikram.anumukonda
LQ Newbie
 
Registered: Dec 2007
Location: Hyderabad
Distribution: Fedora Core 8
Posts: 12
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Think , i found the solution

need to execute the following commands

ip route add nat <<public ip>> via 192.168.1.10
ip rule add nat <<public ip>> from 192.168.1.10

below are the links that give a clear explanation of issues with DNAT & ARP

http://linux-ip.net/html/nat-dnat.html


http://linux-ip.net/html/nat-statele...-stateless-arp
 
Old 09-29-2008, 05:07 PM   #4
babel17
LQ Newbie
 
Registered: Nov 2007
Posts: 9

Rep: Reputation: 1
OK, I spent to days trying solve this same problem. Since I was using the 2.6 kernel, I couldn't use Vikram's 'accidental' proxy arp solution. It turns out that in all of the tutorials on DNAT that I found, they either neglected to mention, or I failed to notice (probably the latter), that you need to bind the public address that you are DNATing to the public interface of the firewall.

Using Vikram's example, at some point you need to execute:

ip addr add <<PUBLIC_IP>> dev <<firewall_external_interface>>




Gaaaah. This drove me mad for days!
 
  


Reply

Tags
arp, dnat, iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables with dnat mhm Linux - Networking 3 12-31-2007 08:10 AM
Iptables DNAT ! Please help ! thomaspsimon Linux - Networking 18 08-27-2007 11:03 AM
why does iptables DNAT fail? eantoranz Linux - Security 12 08-25-2006 02:11 PM
iptables DNAT pshepperd Linux - Security 1 05-22-2004 04:56 PM
iptables DNAT bentz Linux - Networking 15 05-19-2003 02:17 PM


All times are GMT -5. The time now is 04:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration