WG: SNAT? DNAT? why?
Hello, i have an debian-system 3.0, kernel 2.4.18.
+-------------+ +-------------+
| DSL router | | ISDN-router |
| 192.168.0.1 | | 192.168.1.1 |
+-------------+ +-------------+
| |
| |
+-----------+ +---------------+
| |
+-----------------------------------+
| eth2 eth0 |
| 192.168.0.10 192.168.1.10 |
| |
| eth1 |
| 172.16.3.6 |
+-----------------------------------+
|
|
+-----------------------------------+
| intern net 172.16.3.0/24 |
following:
email-traffic via ISDN-router
www via DSL-router
pstree:
qmail
squid
apache
my firewall skript
!! SNAT Rules
Why make it correct?
intern browser => port 3128:eth1
pop/smtp => eth0
#!/bin/sh
route add -net 172.16.1.0/24 gw 172.16.3.2
### eth0 Internet
DTAG_NET="192.168.1.0/24"
DTAG_INTERFACE="eth0"
DTAG_IP="192.168.1.10"
### eth1 intern
INTERN_NET="172.16.3.0/24"
INTERN_INTERFACE="eth1"
INTERN_IP="172.16.3.6"
### eth2 DSL
DMZ01_NET="192.168.0.0/24"
DMZ01_INTERFACE="eth2"
DMZ01_IP="192.168.0.10"
### Kernel-Tuning
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "8182" > /proc/sys/net/ipv4/ip_conntrack_max
### Firewall Rules
### SNAT Rules
#
# ????????????????????????????????
iptables -t nat -A PREROUTING -i $INTERN_INTERFACE -p -j DNAT --to
$DMZ01_IP
iptables -t nat -A POSTROUTING -o $DTAG_INTERFACE -s $INTERN_NET -j
SNAT --to $DTAG_IP
### EOF
#route:
192.168.0.10 192.168.0.1 255.255.255.255 UGH 0 0 0 eth2
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
172.16.3.0 * 255.255.255.0 U 0 0 0 eth1
192.168.0.0 * 255.255.255.0 U 0 0 0 eth2
172.16.1.0 172.16.3.2 255.255.255.0 UG 0 0 0 eth1
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
#ip ru ls:
0: from all lookup local
32765: from 192.168.0.10 lookup DSL
32766: from all lookup main
32767: from all lookup default
#ip ro ls:
192.168.0.10 via 192.168.0.1 dev eth2
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.10
172.16.3.0/24 dev eth1 proto kernel scope link src 172.16.3.6
192.168.0.0/24 dev eth2 proto kernel scope link src 192.168.0.10
172.16.1.0/24 via 172.16.3.2 dev eth1
default via 192.168.1.1 dev eth0
MfG
Torsten
Reply to: