Re: Validating NT thought a natting firewall
On Thu, 27 May 2004, Mike Mestnik wrote:
> I think you have this backwards, are you talking about --to-source or
> --source? I'm also wondering why not just use proxy-arp(setup with the
> arp cmd) and setup the internal IPs tobe what the external IPs are? This
> way the router can focus on fierwalling trafic and not needing todo any
> nat.
Proxy-arp would mean that in the "satellite" submet i would have 4 hosts
with address not in that net. No problem giving to these hosts 2
addresses, unless it could break some other things. BTW if someone
from 192.168.19.66 try to access a.b.c.194 that is inside that net, even
if has a second address 192.168.19.194 ?
PS: do you have an howto un proxy-arp option ?
>
> You should be using...
> iptable $OTHEROPTS -i eth<to world> --destination <IP.ext> DNAT
> --to-destination <IP.int>
>
> iptable $OTHEROPTS -o eth<to world> --source <IP.int> SNAT --to-source
> <IP.ext>
>
> Then use "-t filter -? FORWARD" to setup all your allow/deny/drop rules.
> Also don't forget to use "-m state NEW" and "-m state ESTABLISHED/RELATED"
> for conection traking to take effect(so I'm told).
>
> --- Leonardo Boselli <leo@dicea.unifi.it> wrote:
> > On Wed, 26 May 2004, Mike Mestnik wrote:
> > > K, use "iptabels -nvLt nat" too see what rules are being used. Also
> > use
> > > tcpdump or iptaf to see what traffic is not getting passed.
> >
> > no rules added . the only odd thing (but this is wanted) is that DNAT
> > require source to be in a.b.c.0/24 while SNAT require destination to be
> > anything. *so i can access into the hosts only fronm localnet, while thy
> > can start connections to every host in the net).
> > PDC and BDC are a.b.c.11 .13. 15. .17 .19 !
> > PS: GW uses kernel 2.4.26 , not 2.4.25
> >
>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Friends. Fun. Try the all-new Yahoo! Messenger.
> http://messenger.yahoo.com/
>
Reply to: