Re: Iptable NAT problem
On Mon, 2004-08-09 at 14:56, Daniel Pittman wrote:
> On 9 Aug 2004, pradeeper@unionb.com wrote:
> > We have a small network like this,
> >
> > -------------- eth1 ---------- eth0
> > | WWW Server |---------------------|Firewall|-------------> Internet
> > -------------- ----------
> > 192.168.1.4
> > [203.94.71.36]
> >
> > Firewall:
> > eth0: 203.94.71.42
> > eth1: 192.168.1.1
> >
> > WWW Server:
> > eth0: 192.168.1.4
> >
> > Ok! Problem is...,
> >
> > o What we want is, who ever asking ip address 203.94.71.36 redirect
> > (DNAT) to 192.168.1.4
> >
> > What will be the correct and secured iptables entry we can use?
>
> You might look at some sort of useful firewall script that makes it
> easier, but you need the two statements, pretty much:
>
> iptables -t nat -A PREROUTING -d 203.94.71.36 \
> -j DNAT --to-destination 192.168.1.4
It's recommended to add an interface definition, eg
iptables -t nat -A PREROUTING -i eth0 -d 203.94.71.36 \
-j DNAT --to-destination 192.168.1.4
>
> iptables -t filter -A FORWARD -d 203.94.71.36 ... -j ACCEPT
and after the DNAT, the destination is re-written to 192.168.1.4
so it would need to be..
iptables -t filter -A FORWARD -i eth0 -d 192.168.1.4 -j ACCEPT
That ACCEPT rule also implies there's a DROP somewhere, either in POLICY
or later in the chain, so I would expect to see a state rule to allow
replies and traffic initiated by the webserver itself.. eg
iptables -A FORWARD -i eth0 -m state --state NEW -d 192.168.1.4 \
-j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
instead of just the one forward rule..
>
> Replace the '...' with one line matching each protocol you intend to
> have that webserver system serve.
>
> Alternately, only do the DNAT when you are interested in serving to the
> Internet, by specializing the DNAT statement.
So that's minimum for traffic, but you need more rules for security..
Regards,
Peter
Reply to: