apr_1985 - 2014-03-17


I have 10 servers each of which has a NAT rule to translate the address from 10.16.57.X (public address), to 10.19.157.X (private/internal address).
With no firewall rules, the other machines on 10.16.X.X can talk directly to the servers on both the public and private addresses, which I do not want. I only want other things to be able to talk to the servers through the NAT addresses.
I have a firewall rule (in policy) which blocks anything from the 10.16.X.X net from talking directly to the servers 10.19.157.X addresses, but from what I can see the NAT translation seems to happen before the firewall rules are applied, which means that even if something talks to the 10.16.57.X address it get translated and then blocked by the rule which doesn’t allow 10.16.X.X to talk directly to the 10.19.157.X addresses.

Is there a way that I can get firewall rules to be applied on incoming traffic before the NAT translation happens?
I am using Iptables if that makes a difference.

Thanks for your help.