[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Iptable NAT problem



On 9 Aug 2004, pradeeper@unionb.com wrote:
> We have a small network like this,
>
> --------------		      eth1 ---------- eth0
> | WWW Server |---------------------|Firewall|-------------> Internet
> --------------			   ----------
> 192.168.1.4
> [203.94.71.36]
>
> Firewall:
> eth0: 203.94.71.42
> eth1: 192.168.1.1
>
> WWW Server:
> eth0: 192.168.1.4
>
> Ok! Problem is...,
>
> o What we want is, who ever asking ip address 203.94.71.36 redirect
> (DNAT) to 192.168.1.4
>
> What will be the correct and secured iptables entry we can use?

You might look at some sort of useful firewall script that makes it
easier, but you need the two statements, pretty much:

iptables -t nat -A PREROUTING -d 203.94.71.36 \
         -j DNAT --to-destination 192.168.1.4

iptables -t filter -A FORWARD -d 203.94.71.36 ... -j ACCEPT

Replace the '...' with one line matching each protocol you intend to
have that webserver system serve.

Alternately, only do the DNAT when you are interested in serving to the
Internet, by specializing the DNAT statement.

> Do we have to create sub-interfaces (like eth0:1 eth0:2...) in our
> firewall? Or we just have to create iptables entry?

You need to have the firewall see that IP address, but you shouldn't
need to assign it, as I understand things.

     Daniel
-- 
Sadness is but a wall between two gardens.
        -- Kahlil Gibran



Reply to: