Re: Iptable NAT problem

To: Daniel Pittman <daniel@rimspace.net>, pradeeper@unionb.com, debian-firewall@lists.debian.org
Subject: Re: Iptable NAT problem
From: Mike Mestnik <cheako911@yahoo.com>
Date: Mon, 9 Aug 2004 08:27:08 -0700 (PDT)
Message-id: <[🔎] 20040809152708.69967.qmail@web11903.mail.yahoo.com>
In-reply-to: <[🔎] 87oelk79lx.fsf@enki.rimspace.net>

The full story can be found here
http://wiki.debian.net/index.cgi?Firewalls-dnat-redirect.  The solution
below is number 6 you may want to use 2 instead.

I'd appreciate any one to add to the wiki exact instructions as to how
each solution may/might/should be implemented.

--- Daniel Pittman <daniel@rimspace.net> wrote:

> On 9 Aug 2004, pradeeper@unionb.com wrote:
> > We have a small network like this,
> >
> > --------------		      eth1 ---------- eth0
> > | WWW Server |---------------------|Firewall|-------------> Internet
> > --------------			   ----------
> > 192.168.1.4
> > [203.94.71.36]
> >
> > Firewall:
> > eth0: 203.94.71.42
> > eth1: 192.168.1.1
> >
> > WWW Server:
> > eth0: 192.168.1.4
> >
> > Ok! Problem is...,
> >
> > o What we want is, who ever asking ip address 203.94.71.36 redirect
> > (DNAT) to 192.168.1.4
> >
> > What will be the correct and secured iptables entry we can use?
> 
> You might look at some sort of useful firewall script that makes it
> easier, but you need the two statements, pretty much:
> 
> iptables -t nat -A PREROUTING -d 203.94.71.36 \
>          -j DNAT --to-destination 192.168.1.4
> 
> iptables -t filter -A FORWARD -d 203.94.71.36 ... -j ACCEPT
> 
> Replace the '...' with one line matching each protocol you intend to
> have that webserver system serve.
> 
> Alternately, only do the DNAT when you are interested in serving to the
> Internet, by specializing the DNAT statement.
> 
> > Do we have to create sub-interfaces (like eth0:1 eth0:2...) in our
> > firewall? Or we just have to create iptables entry?
> 
> You need to have the firewall see that IP address, but you shouldn't
> need to assign it, as I understand things.
> 
>      Daniel
> -- 
> Sadness is but a wall between two gardens.
>         -- Kahlil Gibran
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
> 



		
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail

Reply to:

References:
- Re: Iptable NAT problem
  - From: Daniel Pittman <daniel@rimspace.net>

Prev by Date: Re: DMZ question
Next by Date: Re: Iptable NAT problem
Previous by thread: Re: Iptable NAT problem
Next by thread: Recompile filter for firewall-easy
Index(es):
- Date
- Thread