Re: problem with iptables nat
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Guenter.Sprakties@team4.de wrote:
| There are two interfaces:
|
| eth0 Protokoll:Ethernet Hardware Adresse 00:02:1E:F1:AA:32
| inet Adresse:172.31.27.1 Bcast:172.31.31.255
| Maske:255.255.248.0
| inet6 Adresse: fe80::202:1eff:fef1:aa32/64
| Gültigkeitsbereich:Verbindung
| UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
|
| eth1 Protokoll:Ethernet Hardware Adresse 00:01:02:04:C2:55
| inet Adresse:192.168.2.1 Bcast:192.168.2.255
| Maske:255.255.255.0
| inet6 Adresse: fe80::201:2ff:fe04:c255/64
| Gültigkeitsbereich:Verbindung
| UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
|
| lo Protokoll:Lokale Schleife
| inet Adresse:127.0.0.1 Maske:255.0.0.0
| inet6 Adresse: ::1/128 Gültigkeitsbereich:Maschine
| UP LOOPBACK RUNNING MTU:16436 Metric:1
[snip success story with plain routing]
| Think the 172.31.. network as intranet and the 192.168.. net/machine as
| dmz. We like to get the 192.168.2.20 ip natted to 172.31.27.20 from the
| intranet; that means that we can ping 172.31.27.20 from 172.31.27.10, the
| ping arrived as 192.168.2.20 and the return package arrived again as
| 172.31.27.20. When we take the NAT HOW-TO, we construct following rules:
|
| # NAT
| #
| iptables -t nat -A POSTROUTING -s 192.168.2.20 -o eth0 -j SNAT --to
| 172.31.27.20
| iptables -t nat -A PREROUTING -i eth1 -d 172.31.27.20 -j DNAT --to
| 192.168.2.20
Why do you do this ? DNAT is similar to what was called 'port
forwarding' with ipchains/masquerading (yes, there are people who are
able to point out the differences of masquerading vs. nat in lengh, but
this is not the point here). If you just want the guys on the LAN access
the NET and keep the folks from the NET outr of the LAN do something
like this:
#!/bin/bash
iptables -X INPUT
iptables -X FORWARD
iptables -t nat -X POSTROUTING
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT -i lo -j ACCEPT
iptables -I INPUT -i eth0 -s 192.168.2.0/24 -j ACCEPT
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -i eth0 -s 192.168.2.0/24 -j ACCEPT
iptables -t nat -I POSTROUTING -o eth1 -s 192.168.2.0/24 -j SNAT --to
172.31.27.1
echo "1" > /proc/sys/net/ipv4/ip_forward
This is my ever successful and quite fool proof firewall init script. It
~ nat's the private network 192.168.2.0/24 to one official IP
(172.31.27.1 in our case)
The nat stuff consists of two lines: the '-t nat' line defines what will
be nated and the '--state ESTABLISHED,RELATED' line in the FORWARD chain
tales care of the answer packets.
I hope that helps ...
~ Goesta
- --
Goesta Smekal
download my gpg public key from:
http://www.smekal.at/gpg-public-key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCi4rfLAKF+YJZq5MRAu4cAJ4jZQ9P7TPEWnyNI0lnlL6CI8Tn9gCeJ5/A
C16lBcRZNyBubFEhKDCQp1A=
=sK/z
-----END PGP SIGNATURE-----
Reply to: