Default Gateway solution on NAT'd network (best options)
Posted
by
kwiksand
on Server Fault
See other posts from Server Fault
or by kwiksand
Published on 2012-10-02T01:27:25Z
Indexed on
2012/10/02
3:40 UTC
Read the original article
Hit count: 428
I've recently changed a network from a bunch of machines exposed to the net on a network to a more security conscious Firewall-fronted network with a DMZ for public services. Everything's mostly working perfectly now, but I've got the old problem of NAT Loopback where a machine within the LAN wants to access a public service via the public/external IP.
I've solved this problem previously in a small/SOHO environment simply using NAT loopback features of the router in use or a simple iptables rule to do the same, but I want to make sure I make the most resilient choice with the least concern.
It seems I can:
- Use iptables as I've said to DNAT and MASQUERADE the change source/destination so the connection works correctly i.e
iptables -A PREROUTING -t nat -d ip.of.eth0.here -p tcp --dport 8080 -j DNAT --to 192.168.0.201:8080 iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -p tcp --dport 8080 -d 192.168.0.201 -j MASQUERADE
- Use split DNS, with internal mappings for public IP's
- Potentially do some route nastyness by setting the Default Gateway to use a different externally exposed IP to then come back in the public route (messy)
- Someone mentioned putting the Default Gateway within the DMZ as well (on serverfault), but I can't find the post again.
I'm sure this is a common issue for many with NAT'd networks, but I've not really seen the perfect solve all when it comes to fixing this problem.
What is your opinion?
© Server Fault or respective owner