Static NAT w/ iptables problem

To: <debian-security@lists.debian.org>
Subject: Static NAT w/ iptables problem
From: Markus Trümper <m.truemper@daewoo-automobile.de>
Date: Sat, 14 Aug 2004 15:36:57 +0200
Message-id: <[🔎] NGBBJBJAFKMIAAGGPNOIIEEHDPAA.m.truemper@daewoo-automobile.de>

 Hello,

I'm trying to set up a firewall to do static NAT between two networks:

   internal network
    192.168.1.0/24

   server 192.168.1.3
       |
     LAN_IF 192.168.1.7
    Firewall
     EXT_IF 10.80.137.1, 10.80.137.10
       |
      DMZ
    10.80.137.0/24

'server' should be reachable from the DMZ by talking to 10.80.137.1. That
address has no other purpose.
Default policies are currently ACCEPT. All the tables have been cleared before
I installed the rules posted below.
Testing is done by connecting a dedicated computer to each interface and trying
to reach the one on the internal net from the DMZ. The firewall can reach each
computer and each computer can reach the firewall (ping).

My rules so far don't work. I can not reach 'server' by talking to 10.80.137.1
on the external IF of the Firewall. Any idea why?

I hope that the two networks are both private networks does not create a problem
here.

------------------------------------------------
ifconfig eth1 add 10.80.137.1 netmask 255.255.255.0

echo "Clearing current rules ..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# LAN: 192.168.1.0/24
LAN_IF=eth0
# EXT: 10.80.137.0/24
EXT_IF=eth1

# 'server':
EXT_DS=10.80.137.1
DS=192.168.1.195

IPTABLES=/sbin/iptables

# (Connections originating from the DMZ)
$IPTABLES -t nat -A PREROUTING -d $EXT_DS -i $EXT_IF -j DNAT --to-destination $DS
$IPTABLES -A FORWARD -p all -i $EXT_IF -o $LAN_IF -d $DS -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -t filter -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT

# (Connections originating from internal)
$IPTABLES -t nat -A POSTROUTING -s $EXT_DS -o $EXT_IF -j SNAT --to-source $DS
$IPTABLES -A FORWARD -t filter -i $LAN_IF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

------------------------------------------------

Thanks in advance
  Markus

---------------------------------------------------------------------------------
| Dipl. Inform. Markus Trümper             |                                    |
|                                          | Daewoo Automobile Deutschland GmbH |
| email:   m.truemper@daewoo-automobile.de | Lindenstraße 110                   |
| www:     http://www.daewoo-automobile.de | 28755 Bremen                       |
| Telefon: +49 (0)421 668-4138             | Germany                            |
| Fax:     +49 (0)421 668-4192             |                                    |
---------------------------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: Static NAT w/ iptables problem
  - From: Stephen Gran <sgran@debian.org>
- Re: Static NAT w/ iptables problem
  - From: Philipp Schulte <pschulte@uni-duisburg.de>

Prev by Date: Re: newbie iptables question
Next by Date: unsubscribe
Previous by thread: [François TOURDE] Re: newbie iptables question
Next by thread: Re: Static NAT w/ iptables problem
Index(es):
- Date
- Thread