Allow local traffic to access NAT with arno-iptables-firewall

Posted agosto 14th, 2012 in Blog, Operations, Virtualization and tagged , , by guzman

Arno iptables firewall script which comes with Debian Squeeze it’s wonderful, very customizable and already has support for many different scenarios, even some complex one which usually only way is writting yourself the extra rules.

But… there’s always a but. If you use NAT, your machines in the internal network won’t be able to access your public NAT services, will get connection refused.

Problem is, to be able to use it, arno would need to masquerade your traffic with a public IP and send your traffic back to internal machine.

Below is a patch to latest squeeze arno version (1.9.2.k-4) which will do exactly that

Warning: for security sake the rules filter by the source IP in your nat rule, usually 0/0, so usually won’t be an issue. However if you are using NAT rules which filter by source IP, if you want your internal traffic be able to use that NAT from inside, you will need to add a new rule puting your internal network as source address allowed.

This patch it’s only for TCP but should be trivial to add the same to the code that handles UDP and full IP NAT’s.


Leave a Reply