Default Gateway solution on NAT'd network (best options)
- by kwiksand
I've recently changed a network from a bunch of machines exposed to the net on a network to a more security conscious Firewall-fronted network with a DMZ for public services. Everything's mostly working perfectly now, but I've got the old problem of NAT Loopback where a machine within the LAN wants to access a public service via the public/external IP.
I've solved this problem previously in a small/SOHO environment simply using NAT loopback features of the router in use or a simple iptables rule to do the same, but I want to make sure I make the most resilient choice with the least concern.
It seems I can:
Use iptables as I've said to DNAT and MASQUERADE the change source/destination so the connection works correctly
i.e
iptables -A PREROUTING -t nat -d ip.of.eth0.here -p tcp --dport 8080 -j
DNAT --to 192.168.0.201:8080
iptables -t nat -A POSTROUTING -s
192.168.0.0/24 -p tcp --dport 8080 -d 192.168.0.201 -j MASQUERADE
Use split DNS, with internal mappings for public IP's
Potentially do some route nastyness by setting the Default Gateway to use a different externally exposed IP to then come back in the public route (messy)
Someone mentioned putting the Default Gateway within the DMZ as well (on serverfault), but I can't find the post again.
I'm sure this is a common issue for many with NAT'd networks, but I've not really seen the perfect solve all when it comes to fixing this problem.
What is your opinion?