[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: UDP NAT [Nat to DNS Server]

That is in fact what I am trying to do. I already tried to forward port 53
for both tcp and UDP but the problem is the packets are never coming back
out of the NAT. TCP works fine but dns uses UDP mostly. In addition to DNS
one of the departments within our network needs a "bidirectional" UDP NAT.
The configuration was working when we were using a Cisco firewall so I
assume it can be done.

Here is a diagram.

-----------    -----------------      -----------
| Internet |---| Linux Firewall |-----| Switch  |
-----------    -----------------      -----------
                                         |    |
                                         |    |      ---------------------
                                         |    |------| UDP NAT port 2001 |
                                         |           ---------------------
                                      |DNS Server|

Here is my UDP nat attempt.
$IPTABLES -A PREROUTING -p udp -t nat -d pub.lic.ip.add --dport 2001 -j
DNAT --to


----- Original Message -----
From: "Matthew Palmer" <mjp16@ieee.uow.edu.au>
To: "Ryan White" <ryan@itamigo.com>
Cc: <debian-firewall@lists.debian.org>
Sent: Monday, December 17, 2001 6:30 PM
Subject: Re: UDP NAT [Nat to DNS Server]

> On Mon, 17 Dec 2001, Ryan White wrote:
> > I am looking to make a NAT to a DNS server and also a "bidirectional"
> > NAT. Is this possible? I have seen this kind of thing done on Cisco
> > but haven't been able to do it in iptables.
> I'm not entirely sure what you're referring to, but if you want a DNS
> on a machine which is on a private network which uses NAT to access the
> Internet, I'm here to tell you it's possible, and really easy.
> Port forward 53 to the internal box, and NAT will take care of the rest.
> If that's not what you want, then try explaining in detail (ASCII diagrams
> are a pain to draw but work well) what it is, precisely, you want.  I'm
> to find too much which iptables isn't capable of.
> Matt
> iptables fanatic
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact

Reply to: