I've been trying out the --NAT-local functionality with v2.0.3 (on Linux Mint) & v2.0.0-rc1 (on OpenWRT), and I've observed that ENABLE_IPT_FORWARDING must be enabled in fwknopd.conf, otherwise the FWKNOP_PREROUTING chain is not created in the 'nat' table (under iptables). This seems to effectively prevent --NAT-local usage from working at all, as the necessary DNAT rule is not generated.

From my reading of the fwknopd documentation, it seems that having ENABLE_IPT_LOCAL_NAT enabled should be sufficient to enable --NAT-local functionality. (I understand that ENABLE_IPT_FORWARDING is required for --NAT-access access to machines behind the firewall running fwknopd.) Am I misunderstanding the meaning of these options, or could this be a bug? I have not yet tested this in v2.0.4, but I didn't find any mention of this problem in the changelog.


Will D. Spann