Re: problem with iptables nat

To: debian-firewall@lists.debian.org
Subject: Re: problem with iptables nat
From: Goesta Smekal <goesta@smekal.at>
Date: Wed, 18 May 2005 20:35:13 +0200
Message-id: <[🔎] 428B8AE1.20303@smekal.at>
In-reply-to: <[🔎] OF7B0EEF16.F35D652E-ONC1256FFE.004D05D4-C1257005.004B4CE5@team4.de>
References: <[🔎] OF7B0EEF16.F35D652E-ONC1256FFE.004D05D4-C1257005.004B4CE5@team4.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Guenter.Sprakties@team4.de wrote:

| There are two interfaces:
|
| eth0      Protokoll:Ethernet  Hardware Adresse 00:02:1E:F1:AA:32
|           inet Adresse:172.31.27.1  Bcast:172.31.31.255
| Maske:255.255.248.0
|           inet6 Adresse: fe80::202:1eff:fef1:aa32/64
| Gültigkeitsbereich:Verbindung
|           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
|
| eth1      Protokoll:Ethernet  Hardware Adresse 00:01:02:04:C2:55
|           inet Adresse:192.168.2.1  Bcast:192.168.2.255
| Maske:255.255.255.0
|           inet6 Adresse: fe80::201:2ff:fe04:c255/64
| Gültigkeitsbereich:Verbindung
|           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
|
| lo        Protokoll:Lokale Schleife
|           inet Adresse:127.0.0.1  Maske:255.0.0.0
|           inet6 Adresse: ::1/128 Gültigkeitsbereich:Maschine
|           UP LOOPBACK RUNNING  MTU:16436  Metric:1

[snip success story with plain routing]

| Think the 172.31.. network as intranet and the 192.168.. net/machine as
| dmz. We like to get the 192.168.2.20 ip natted to 172.31.27.20 from the
| intranet; that means that we can ping 172.31.27.20 from 172.31.27.10, the
| ping arrived as 192.168.2.20 and the return package arrived again as
| 172.31.27.20. When we take the NAT HOW-TO, we construct following rules:
|
| # NAT
| #
| iptables -t nat -A POSTROUTING -s 192.168.2.20 -o eth0 -j SNAT --to
| 172.31.27.20
| iptables -t nat -A PREROUTING -i eth1 -d 172.31.27.20 -j DNAT --to
| 192.168.2.20

Why do you do this ? DNAT is similar to what was called 'port
forwarding' with ipchains/masquerading (yes, there are people who are
able to point out the differences of masquerading vs. nat in lengh, but
this is not the point here). If you just want the guys on the LAN access
the NET and keep the folks from the NET outr of the LAN do something
like this:

#!/bin/bash

iptables -X INPUT
iptables -X FORWARD
iptables -t nat -X POSTROUTING

iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT -i lo -j ACCEPT
iptables -I INPUT -i eth0 -s 192.168.2.0/24 -j ACCEPT

iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -i eth0 -s 192.168.2.0/24 -j ACCEPT

iptables -t nat -I POSTROUTING -o eth1 -s 192.168.2.0/24 -j SNAT --to
172.31.27.1

echo "1" > /proc/sys/net/ipv4/ip_forward

This is my ever successful and quite fool proof firewall init script. It
~ nat's the private network 192.168.2.0/24 to one official IP
(172.31.27.1 in our case)

The nat stuff consists of two lines: the '-t nat' line defines what will
be nated and the '--state ESTABLISHED,RELATED' line in the FORWARD chain
tales care of the answer packets.

I hope that helps ...

~  Goesta

- --
Goesta Smekal
download my gpg public key from:
http://www.smekal.at/gpg-public-key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCi4rfLAKF+YJZq5MRAu4cAJ4jZQ9P7TPEWnyNI0lnlL6CI8Tn9gCeJ5/A
C16lBcRZNyBubFEhKDCQp1A=
=sK/z
-----END PGP SIGNATURE-----

Reply to:

References:
- problem with iptables nat
  - From: Guenter.Sprakties@team4.de

Prev by Date: Cen Bickford
Next by Date: Re : your swiss watch order
Previous by thread: problem with iptables nat
Next by thread: Re: problem with iptables nat
Index(es):
- Date
- Thread