[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: problem with iptables nat

Hash: SHA1

Guenter.Sprakties@team4.de wrote:

| There are two interfaces:
| eth0      Protokoll:Ethernet  Hardware Adresse 00:02:1E:F1:AA:32
|           inet Adresse:  Bcast:
| Maske:
|           inet6 Adresse: fe80::202:1eff:fef1:aa32/64
| Gültigkeitsbereich:Verbindung
|           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
| eth1      Protokoll:Ethernet  Hardware Adresse 00:01:02:04:C2:55
|           inet Adresse:  Bcast:
| Maske:
|           inet6 Adresse: fe80::201:2ff:fe04:c255/64
| Gültigkeitsbereich:Verbindung
|           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
| lo        Protokoll:Lokale Schleife
|           inet Adresse:  Maske:
|           inet6 Adresse: ::1/128 Gültigkeitsbereich:Maschine
|           UP LOOPBACK RUNNING  MTU:16436  Metric:1

[snip success story with plain routing]

| Think the 172.31.. network as intranet and the 192.168.. net/machine as
| dmz. We like to get the ip natted to from the
| intranet; that means that we can ping from, the
| ping arrived as and the return package arrived again as
| When we take the NAT HOW-TO, we construct following rules:
| # NAT
| #
| iptables -t nat -A POSTROUTING -s -o eth0 -j SNAT --to
| iptables -t nat -A PREROUTING -i eth1 -d -j DNAT --to

Why do you do this ? DNAT is similar to what was called 'port
forwarding' with ipchains/masquerading (yes, there are people who are
able to point out the differences of masquerading vs. nat in lengh, but
this is not the point here). If you just want the guys on the LAN access
the NET and keep the folks from the NET outr of the LAN do something
like this:


iptables -X INPUT
iptables -X FORWARD
iptables -t nat -X POSTROUTING

iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT -i lo -j ACCEPT
iptables -I INPUT -i eth0 -s -j ACCEPT

iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -i eth0 -s -j ACCEPT

iptables -t nat -I POSTROUTING -o eth1 -s -j SNAT --to

echo "1" > /proc/sys/net/ipv4/ip_forward

This is my ever successful and quite fool proof firewall init script. It
~ nat's the private network to one official IP
( in our case)

The nat stuff consists of two lines: the '-t nat' line defines what will
be nated and the '--state ESTABLISHED,RELATED' line in the FORWARD chain
tales care of the answer packets.

I hope that helps ...

~  Goesta

- --
Goesta Smekal
download my gpg public key from:
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


Reply to: