Re: Iptable NAT problem

To: deb list <deb@newproject.pl>, pradeeper@unionb.com, Debian Firewall - LIST <debian-firewall@lists.debian.org>
Subject: Re: Iptable NAT problem
From: Mike Mestnik <cheako911@yahoo.com>
Date: Mon, 9 Aug 2004 08:34:31 -0700 (PDT)
Message-id: <[🔎] 20040809153431.35640.qmail@web11907.mail.yahoo.com>
In-reply-to: <[🔎] 1092061581.4434.15.camel@localhost>

The full story can be found here
http://wiki.debian.net/index.cgi?Firewalls-dnat-redirect.  The solution
below is number 6 this means that data CAN NOT come back to the FW host,
it will have to be sent directly back to the client.  Ohh, yes it lookes
to me like 6 is quiet broken, we have to change this to 2.

I'd appreciate any one to add to the wiki exact instructions as to how
each solution may/might/should be implemented.

--- deb list <deb@newproject.pl> wrote:

> On Mon, 2004-08-09 at 14:56, Daniel Pittman wrote:
> > On 9 Aug 2004, pradeeper@unionb.com wrote:
> > > We have a small network like this,
> > >
> > > --------------		      eth1 ---------- eth0
> > > | WWW Server |---------------------|Firewall|-------------> Internet
> > > --------------			   ----------
> > > 192.168.1.4
> > > [203.94.71.36]
> > >
> > > Firewall:
> > > eth0: 203.94.71.42
> > > eth1: 192.168.1.1
> > >
> > > WWW Server:
> > > eth0: 192.168.1.4
> > >
> > > Ok! Problem is...,
> > >
> > > o What we want is, who ever asking ip address 203.94.71.36 redirect
> > > (DNAT) to 192.168.1.4
> > >
> > > What will be the correct and secured iptables entry we can use?
> > 
> > You might look at some sort of useful firewall script that makes it
> > easier, but you need the two statements, pretty much:
> > 
> > iptables -t nat -A PREROUTING -d 203.94.71.36 \
> >          -j DNAT --to-destination 192.168.1.4
> 
> It's recommended to add an interface definition, eg
> iptables -t nat -A PREROUTING -i eth0 -d 203.94.71.36 \
> 		-j DNAT --to-destination 192.168.1.4
> > 
> > iptables -t filter -A FORWARD -d 203.94.71.36 ... -j ACCEPT
> and after the DNAT, the destination is re-written to 192.168.1.4
> so it would need to be..
>   iptables -t filter -A FORWARD -i eth0 -d 192.168.1.4 -j ACCEPT
> 
> That ACCEPT rule also implies there's a DROP somewhere, either in POLICY
> or later in the chain, so I would expect to see a state rule to allow
> replies and traffic initiated by the webserver itself.. eg
> iptables -A FORWARD -i eth0 -m state --state NEW -d 192.168.1.4 \
> -j ACCEPT
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> instead of just the one forward rule..
> 
> > 
> > Replace the '...' with one line matching each protocol you intend to
> > have that webserver system serve.
> > 
> > Alternately, only do the DNAT when you are interested in serving to
> the
> > Internet, by specializing the DNAT statement.
> 
> So that's minimum for traffic, but you need more rules for security..
> 
> Regards,
> Peter
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
> 



		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail

Reply to:

Follow-Ups:
- Re: Iptable NAT problem
  - From: deb list <deb@newproject.pl>
- Re: Iptable NAT problem
  - From: David Leggett <david+lists+debian-firewall@asguard.org.uk>

References:
- Re: Iptable NAT problem
  - From: deb list <deb@newproject.pl>

Prev by Date: Re: Iptable NAT problem
Next by Date: Re: Iptable NAT problem
Previous by thread: Re: Iptable NAT problem
Next by thread: Re: Iptable NAT problem
Index(es):
- Date
- Thread