Locally route traffic from DMZ-server to firewall’s public IP address [duplicate]

I have an Ubuntu server that sits in a DMZ. The server has a private IP address (10.x.x.x) and the firewall has a public IP address. All network traffic from internet to the public IP is forwarded from the firewall to the DMZ server. This works fine.

My problem is that traffic from the server inside the DMZ to the public IP address isn’t routed back by the firewall. The firewall is outside of my control so I would like to configure the server to never route outgoing traffic to the gateway in the first place but rather handle it locally.

I have been playing with iptables DNAT and MASQUERADE but so far without any luck. What rules would I have to add to accomplish this?

I have the same problem with both normal outgoing traffic and outgoing traffic from docker containers on the server that use a bridged network.


I found the answer myself eventually:

iptables -t nat -A PREROUTING -d X.X.X.X -j DNAT --to-destination Y.Y.Y.Y
iptables -t nat -A OUTPUT -d X.X.X.X -j DNAT --to-destination Y.Y.Y.Y

Where X.X.X.X is the FW’s public IP address and Y.Y.Y.Y is the server’s IP address.

Source : Link , Question Author : Johan Levin , Answer Author : Johan Levin

Leave a Comment