-2

I have an Ubuntu server that sits in a DMZ. The server has a private IP address (10.x.x.x) and the firewall has a public IP address. All network traffic from internet to the public IP is forwarded from the firewall to the DMZ server. This works fine.

My problem is that traffic from the server inside the DMZ to the public IP address isn't routed back by the firewall. The firewall is outside of my control so I would like to configure the server to never route outgoing traffic to the gateway in the first place but rather handle it locally.

I have been playing with iptables DNAT and MASQUERADE but so far without any luck. What rules would I have to add to accomplish this?

I have the same problem with both normal outgoing traffic and outgoing traffic from docker containers on the server that use a bridged network.

Johan Levin
  • 97
  • 4
  • Define "handle locally" please. I'm not getting what that would accomplish. – fuero May 31 '17 at 14:56
  • "My problem is that traffic from the server inside the DMZ to the public IP address isn't routed back by the firewall." means that you want to connect from the DMZ server, originating the connection locally, to the public ip of the firewal, and thus, back to the DMZ server you're connecting from?" If i understand this, good, can i ask you what is your goal? – Marco May 31 '17 at 17:11
  • @fuero, Traffic from my server to the public IP address is sent across the wire to the gateway/firewall. If everything were set up right that wouldn't be so bad since the gateway would just route it back to the same server. However, the gateway doesn't route the traffic back. To work around that problem I want to set up my server so that outgoing traffic to the public IP address never leaves that machine but rather is handled as locally much like loopback traffic is. (The server doesn't know about the public IP address now - it only knows its internal IP address.) – Johan Levin May 31 '17 at 19:04
  • There is nothing to "work around". Either you need the outbound connection to contact another server, or you don't. If you want your box to not even try to contact the firewall, unset the default gateway on your server. I can't imagine for which use case this would make sense though. – fuero May 31 '17 at 19:26
  • If you had taken the time to upgrade to a proper dual stack setup, you wouldn't be having that problem. Sure you'd still have to jump through the same hoops to get IPv4 working. But it wouldn't matter because the communication from the server back to itself would use IPv6 by default, and it would be more efficient because it wouldn't have to take the extra hops to the firewall and back. – kasperd Jun 04 '17 at 17:31

1 Answers1

0

I found the answer myself eventually:

iptables -t nat -A PREROUTING -d X.X.X.X -j DNAT --to-destination Y.Y.Y.Y
iptables -t nat -A OUTPUT -d X.X.X.X -j DNAT --to-destination Y.Y.Y.Y

Where X.X.X.X is the FW's public IP address and Y.Y.Y.Y is the server's IP address.

Johan Levin
  • 97
  • 4