Reply To: nat reflection

Forums Network Management ZeroShell nat reflection Reply To: nat reflection


aha. I am working on this now!

I have just added the following to the ‘NAT and Virtual Servers Script’ on a test system here:

iptables -t nat -A PREROUTING -d -p tcp --dport 80 -j DNAT --to
iptables -A FORWARD -p tcp --dport 80 -d -j ACCEPT
iptables -t nat -A POSTROUTING -s -p tcp --dport 80 -d -j MASQUERADE

WAN IP in my case in this test setup is LAN web server is

This initially did not work – I did notice that it added the following line to POSTROUTING – this looked right and I thought it *should* work. Alas no.

MASQUERADE tcp -- * * tcp dpt:80

However – if I enable the LAN interface (ETH0) as NAT (move it from left to right in the NAT settings page) – then all of a sudden it works! Hurrah! The additional line added to POSTROUTING when enabling NAT on the LAN interface was:


I only had NAT enabled on the WAN interface – that just seemed to work fine and there was never a need to enable NAT on the LAN interfaces as well…..

I then experimented – thinking perhaps I could remove the first two lines – but alas – this only works with all three lines – even if I already configured a Virtual Server to route traffic from WAN to LAN.

So now I have this working in my test setup – I just have to take a deep breath and apply it to live. Adding NAT to ETH3 seems like a bit of a blunderbuss method – if someone has an idea of how to achieve a working solution without having to NAT everything on ETH3 -or can spot why this script isn’t working on its own – that would be my preferred solution I think.

Nearly there with this anyway….