I've recently changed a network from a bunch of machines exposed to the net on a network to a more security conscious Firewall-fronted network with a DMZ for public services. Everything's mostly working perfectly now, but I've got the old problem of NAT Loopback where a machine within the LAN wants to access a public service via the public/external IP.

I've solved this problem previously in a small/SOHO environment simply using NAT loopback features of the router in use or a simple iptables rule to do the same, but I want to make sure I make the most resilient choice with the least concern.

It seems I can:

• Use iptables as I've said to DNAT and MASQUERADE the change source/destination so the connection works correctly i.e

iptables -A PREROUTING -t nat -d ip.of.eth0.here -p tcp --dport 8080 -j DNAT --to 192.168.0.201:8080 iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -p tcp --dport 8080 -d 192.168.0.201 -j MASQUERADE

• Use split DNS, with internal mappings for public IP's
• Potentially do some route nastyness by setting the Default Gateway to use a different externally exposed IP to then come back in the public route (messy)
• Someone mentioned putting the Default Gateway within the DMZ as well (on serverfault), but I can't find the post again.

I'm sure this is a common issue for many with NAT'd networks, but I've not really seen the perfect solve all when it comes to fixing this problem.

What is your opinion?