problem with iptables nat II

To: debian-firewall@lists.debian.org
Subject: problem with iptables nat II
From: Guenter.Sprakties@team4.de
Date: Thu, 19 May 2005 10:37:24 +0200
Message-id: <[🔎] OF7B0EEF16.F35D652E-ONC1256FFE.004D05D4-C1257006.002F5C3E@team4.de>

Hello,

because some people didn't understand our problems, here again:

Wintel computer with actual sarge 2.6.8-2 and actual iptables,

three network interfaces
net one: 172.31.24.0/21
net two: 192.168.2.0/24
net three:212.118.70.32/27

net one is the internal, net two the dmz. net three the internet.

We like to do some double natting of our dmz machines:

The (internal) IP of one dmz computer may be 192.168.2.20
The IP from the intranet should be 172.31.27.20
The IP from the internet should be 212.118.70.36

Simple 1:1 static natting, but route dependend. Easily done by iproute2.
No more longer possible because the kernel was changed and nat by ip route/rule isn't possible anymore.

We got several manuals like NAT HOWTO or iptables from LeRoy D. Cressy or double nat HOWTO.
Most of them deal with port forwarding or masquerading. Nice, but this did not help.
NETMAP could be an possibility, but Cressy points out that connection tracking didn't work well (whatever this means).
I googled NETMAP, but still now I didn't find some real good advertisement about this.
And no, I'm not so good to take the sources of iptable & patches and learn about all circumstances by miself, soory.

In our test environment, this didn't work out:

| # NAT | # | iptables -t nat -A POSTROUTING -s 192.168.2.20 -o eth0 -j SNAT --to | 172.31.27.20 | iptables -t nat -A PREROUTING -i eth1 -d 172.31.27.20 -j DNAT --to | 192.168.2.20

Greetings,

Dr. Günter Sprakties

Reply to:

Prev by Date: Re : your swiss watch order
Next by Date: Re: SSh Tunnel Over Squid
Previous by thread: Re : your swiss watch order
Next by thread: Little magic. Perfect weekends.
Index(es):
- Date
- Thread