Hi,
For me, a hosts file or DNS was undesirable, due to the number of entries I would have needed to make. The solution is to make a SNAT rule effectively matching the DNAT rule so that the replies keep going "outside" and back in via the firewall.
It appears to be that Endian won't create a SNAT rule using the external interfaces. I believe this is a bug. Additionally, the SNAT rules it DOES make can't be configured (as far as I can tell) to be POSTROUTING rules. Long story short, this is how you do it. Change the line below to match the PORT/SERVICE you want to Loopback AND the public IP address you want it to reply from:
Run this from the command line, and it will take effect real time. It's likely to get overwritten next time you make changes to the firewall, I'd love for someone else to chime in on how to make this rule addition permanent:
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.1.104 -p tcp --dport XX -j SNAT --to-source XX...
where:
- 192.168.1.0/24 is my private NAT network
- 192.168.1.104 is the "destination" address of the original DNAT server rule (eg: the Real Server internal IP)
- --dport XX = the service you want to loopback
- XX... is the public IP you are using to access the service (ie: where replies should come from)
Also add that line to /etc/firewall/snat/iptablessnat. Perhaps in that file it will survive a reboot, but I'm certain the next time I add any firewall ports this will get overwritten.
Someone please tell me how to make this change permanent.
Thanks,
James
www.cloud5nines.com
Author