Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 06-16-2008, 02:49 AM   #1
LQ Newbie
Registered: Dec 2007
Location: Hyderabad
Distribution: Fedora Core 8
Posts: 12
Blog Entries: 1

Rep: Reputation: 0
iptables - DNAT / ARP issues

Hello , Can someone pls tell me how to make my Linux Firewall respond to ARP Requests when configured for DNAT.

-A PREROUTING -d <<public-ip>> -p tcp -m tcp --dport 80 -j DNAT --to-destination
-A PREROUTING -d <<public-ip>> -i eth1 -p icmp -j DNAT --to-destination
-A PREROUTING -d <<public-ip>> -p tcp -m tcp --dport 23 -j DNAT --to-destination
-A PREROUTING -d <<public-ip>> -p tcp -m tcp --dport 20:21 -j DNAT --to-destination

Old 06-17-2008, 12:58 AM   #2
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 407

Rep: Reputation: 35
The firewall has very little to do with ARP, which is a low-level protocol that appears on Ethernet segments. On the public side of your firewall, any ARP request for your public-side IP address ought to be answered with the Ethernet address (6-bytes) of your public-side interface.

On the private side (your 192.168.1.x net), ARP requests for the private-side IP address should likewise be answered with the Ethernet address of the private-side interface.

The firewall machine should NOT (and will not) answer ARP requests on the private side for public IP addresses. In order for traffic to flow through the firewall to the public Internet, you need to specify a default route in each of the systems on the private net (except the firewall); that default route should specify the private-side address of the firewall as the gateway.

In a similar fashion, the firewall machine will not answer ARP requests on the public-side which ask for resolution of a private-side address. The situation is a little different on this side, because the Private Networking addresses (192.168.x.y) should never appear on the public Internet. Any public router that receives a packet containing such an address will discard it. Therefore, you will probably never see an ARP for a 192.168.1.x address on your public interface.
Old 06-17-2008, 08:32 AM   #3
LQ Newbie
Registered: Dec 2007
Location: Hyderabad
Distribution: Fedora Core 8
Posts: 12
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Think , i found the solution

need to execute the following commands

ip route add nat <<public ip>> via
ip rule add nat <<public ip>> from

below are the links that give a clear explanation of issues with DNAT & ARP
Old 09-29-2008, 05:07 PM   #4
LQ Newbie
Registered: Nov 2007
Posts: 9

Rep: Reputation: 1
OK, I spent to days trying solve this same problem. Since I was using the 2.6 kernel, I couldn't use Vikram's 'accidental' proxy arp solution. It turns out that in all of the tutorials on DNAT that I found, they either neglected to mention, or I failed to notice (probably the latter), that you need to bind the public address that you are DNATing to the public interface of the firewall.

Using Vikram's example, at some point you need to execute:

ip addr add <<PUBLIC_IP>> dev <<firewall_external_interface>>

Gaaaah. This drove me mad for days!


arp, dnat, iptables

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables with dnat mhm Linux - Networking 3 12-31-2007 08:10 AM
Iptables DNAT ! Please help ! thomaspsimon Linux - Networking 18 08-27-2007 11:03 AM
why does iptables DNAT fail? eantoranz Linux - Security 12 08-25-2006 02:11 PM
iptables DNAT pshepperd Linux - Security 1 05-22-2004 04:56 PM
iptables DNAT bentz Linux - Networking 15 05-19-2003 02:17 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:36 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration