Reply To: nat reflection

Home Page Forums Network Management ZeroShell nat reflection Reply To: nat reflection


Oh dear – it would help, when asking for help – if I actually type in scripts correctly – it looks like I really cocked stuff up!

For the sake of completeness (and hopefully clarity) here are the settings and (hopefully) correct resolution:

Interface IPs on ZS Box:

ETH0 = WAN Interface (
ETH3 = VLAN A Interface (
ETH3 = VLAN B Interface (

LAN Server IPs

Server A, VLAN A =
Server B, VLAN B =

This device is being used only for routing PAT / NAT as we have a transparent firewall device handling firewall stuff.

The desired functionality is for Server A to have PAT from WAN, but also this should work for servers in the same subnet / VLAN as Server A (VLAN A) – *AND* also for Server B in VLAN B.

SO. After finally figuring out that I just plain typed up the script totally **wrong**, the following script now works – with no NAT mods required – with just the following TWO lines:

iptables -t nat -A PREROUTING -d -p tcp --dport 80 -j DNAT --to
iptables -t nat -A POSTROUTING -s -p tcp --dport 80 -d -j MASQUERADE

I am assuming therefore, if I wanted (as per the above example) Server B to be able to connect to Server A but using the PAT on ETH0/WAN interface – I would need to add a third line, for an extra POSTROUTING entry for Server Bs subnet? So the final rule would look like this:

iptables -t nat -A PREROUTING -d -p tcp --dport 80 -j DNAT --to
iptables -t nat -A POSTROUTING -s -p tcp --dport 80 -d -j MASQUERADE
iptables -t nat -A POSTROUTING -s -p tcp --dport 80 -d -j MASQUERADE

This looks good to you guys?

The reason why the first PREROUTING line is required, when there is already a Virtual Server entry set up to forward traffic from the WAN to Server A, is that this Virtual Server rule is set only to ETH0 as ‘in’ – which does not work for my case, as I am wanting the ‘in’ interface to also include traffic coming in from ETH3.

Sure enough, if I remove the interface specific Virtual Server rule and re-add it, this time with the interface set as ‘ANY’ – the ‘NAT Reflection’ works with just the POSTROUTING entries only.