filtering routed packets
Situation:
one machine ALPHA with only one nic. This machine has 3 addresses, all
bound to the same interface: Aa that his its public address, Ba that is
another public address, Ca that is a private address.
There is in the net a second machine BETA, with 2 modems connected.
This machine has another NIc with 2 addresses, one Ab on the same subnet
that Aa and Ba and one Cb on the same subnet that C (physically the subnet
is the same) the modem is given one addresses Cm on "C" subnet.
The problem:
ALPHA should act as a router-firewall and let pass all the traffic to the
Ab and Cb address but some ports (80 135 137 139 443 445). But any
traffic originating from Cm must deserve a special treatment:
it must be masqueraded and appearing as originating from Ba, without any
filtering.
How to do ?
I have the rules for masq: if i connect a single host whit the CM address
it works nicely, but if i call from outside i can log on any machine using
a C address, but i do not traverse the "fw" as i do if i use the same
address directly. If i traceroute from outside instead i get a ping !
any hint ?
rules are vettore:~# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT all -- anywhere 150.217.9.154 to:172.25.9.195
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 172.25.9.195 anywhere to:150.217.9.154
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Reply to: