RE: snat differant ip from dmz interface only ??

To: <debian-firewall@lists.debian.org>
Subject: RE: snat differant ip from dmz interface only ??
From: simpletone@datapimp.org
Date: Thu, 3 Oct 2002 17:58:04 -0700 (PDT)
Message-id: <[🔎] 44549.202.45.109.22.1033693084.squirrel@dpemail.com>
Reply-to: simpletone@datapimp.org

sorry for reply post.. but

it is simply done with SNAT, however if you have a MASQ rule in there, it
masq's before it jumps to the SNAT rules..

thus, working eg:

#iptables -t nat -A POSTROUTING -o $ETX -d \! $LAN -j MASQEURADE
iptables -t nat -A POSTROUTING -o $EXT -s 1.0.0.0 -j SNAT --to y.y.y.y
iptables -t nat -A POSTROUTING -o $EXT -s 2.0.0.0 -j SNAT --to x.x.x.x


one security concern however is that you cannot specify incoming
interfaces..

eg:

iptables -t nat -A PSOTROUTING -o $EXT -s 1.0.0.0 -j SNAT --to y.y.y.y
iptables -t nat -A PSOTROUTING -o $EXT -s 2.0.0.0 -j SNAT --to x.x.x.x

thus if (honey net is example) a hostile box changes its ip addressing
then it will (if it makes it too the postrouting chain), snat for that ip

Reply to:

Prev by Date: snat differant ip from dmz interface only ??
Next by Date: Virus scan on the fly
Previous by thread: snat differant ip from dmz interface only ??
Next by thread: Virus scan on the fly
Index(es):
- Date
- Thread