Proper way to setup DNAT to servers inside a different internal network (VPN)?

Charles charles at
Mon Apr 18 12:34:03 CEST 2005

Dear all,

My boss has need me to setup a DNAT at the gateway into a LAN server =
an IPSec VPN, which is not at the same network as the pub gateway. That
create a big problem! I hope someone can help me!

The pub gateway is a RedHat 8.0 Linux with kernel 2.4.18, iptables =
1.2.6a is the public ip at the pub gateway is the internal network address of the pub gateway
and is the internal network of the LAN server
the vpn gateway at the LAN network is also the LAN gateway, has its own
broadband connection connect to the Internet
We need to forward at least (will be more in the future) HTTP, FTP, PPTP
traffic at into the LAN server!!

I try to draw the network config here:
[Internet client] <--> (eth0: [pub gateway] (eth1:
<-(VPN)-> [vpn gateway] (eth1: <-LAN->(eth0: LAN =

I've successfully make half the way by using DNAT and SNAT:
iptables -t nat -A PREROUTING -i eth0 -d -j DNAT --to =
iptables -t nat -A POSTROUTING -d -j SNAT --to-source =

- Internet client connect to http can connect to the LAN =
browsing webpage is ok, but when doing a HTTP post upload it fails by =
hang a
period of time and then browser report webpage not found!
- Internet client connect to ftp can connect to the LAN =
but ftp cannot start file transfer with both active/passive mode!
- Internet client connect to PPTP can connect to the LAN =
and start the pptp vpn connection, strange?

Am I missing something?

Thanks a lot!

I am using the free version of SPAMfighter for private users.
It has removed 23251 spam emails to date.
Paying users do not have this message in their emails.
Try for free now!

More information about the netfilter mailing list