Re: Iptable NAT problem
The full story can be found here
http://wiki.debian.net/index.cgi?Firewalls-dnat-redirect. The solution
below is number 6 this means that data CAN NOT come back to the FW host,
it will have to be sent directly back to the client. Ohh, yes it lookes
to me like 6 is quiet broken, we have to change this to 2.
I'd appreciate any one to add to the wiki exact instructions as to how
each solution may/might/should be implemented.
--- deb list <firstname.lastname@example.org> wrote:
> On Mon, 2004-08-09 at 14:56, Daniel Pittman wrote:
> > On 9 Aug 2004, email@example.com wrote:
> > > We have a small network like this,
> > >
> > > -------------- eth1 ---------- eth0
> > > | WWW Server |---------------------|Firewall|-------------> Internet
> > > -------------- ----------
> > > 192.168.1.4
> > > [18.104.22.168]
> > >
> > > Firewall:
> > > eth0: 22.214.171.124
> > > eth1: 192.168.1.1
> > >
> > > WWW Server:
> > > eth0: 192.168.1.4
> > >
> > > Ok! Problem is...,
> > >
> > > o What we want is, who ever asking ip address 126.96.36.199 redirect
> > > (DNAT) to 192.168.1.4
> > >
> > > What will be the correct and secured iptables entry we can use?
> > You might look at some sort of useful firewall script that makes it
> > easier, but you need the two statements, pretty much:
> > iptables -t nat -A PREROUTING -d 188.8.131.52 \
> > -j DNAT --to-destination 192.168.1.4
> It's recommended to add an interface definition, eg
> iptables -t nat -A PREROUTING -i eth0 -d 184.108.40.206 \
> -j DNAT --to-destination 192.168.1.4
> > iptables -t filter -A FORWARD -d 220.127.116.11 ... -j ACCEPT
> and after the DNAT, the destination is re-written to 192.168.1.4
> so it would need to be..
> iptables -t filter -A FORWARD -i eth0 -d 192.168.1.4 -j ACCEPT
> That ACCEPT rule also implies there's a DROP somewhere, either in POLICY
> or later in the chain, so I would expect to see a state rule to allow
> replies and traffic initiated by the webserver itself.. eg
> iptables -A FORWARD -i eth0 -m state --state NEW -d 192.168.1.4 \
> -j ACCEPT
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> instead of just the one forward rule..
> > Replace the '...' with one line matching each protocol you intend to
> > have that webserver system serve.
> > Alternately, only do the DNAT when you are interested in serving to
> > Internet, by specializing the DNAT statement.
> So that's minimum for traffic, but you need more rules for security..
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!