[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Static NAT w/ iptables problem

This one time, at band camp, Markus Trümper said:
>  Hello,
> I'm trying to set up a firewall to do static NAT between two networks:
>    internal network
>    server
>        |
>      LAN_IF
>     Firewall
>      EXT_IF,
>        |
>       DMZ
> 'server' should be reachable from the DMZ by talking to That
> address has no other purpose.
> Default policies are currently ACCEPT. All the tables have been cleared before
> I installed the rules posted below.
> Testing is done by connecting a dedicated computer to each interface and trying
> to reach the one on the internal net from the DMZ. The firewall can reach each
> computer and each computer can reach the firewall (ping).

I'm not sure I get you here.  Do you want to appear as
though it's running on, or do you want it to appear as
itself, but be protected by a firewall?  You're just connecting two
private networks (one a DMZ), and you set aside an IP that will map to
the DMZ address, correct?

> My rules so far don't work. I can not reach 'server' by talking to
> on the external IF of the Firewall. Any idea why?
> I hope that the two networks are both private networks does not create a problem
> here.

No, that's no problem.

OK, so I think what you have on the firewall machine is:
eth0 ip
eth1 ip
eth1:0 ip

(I will base my rules on that idea - if not, substitute)

If you want requests to go to


for port in $server_ports; do
  iptables -A FORWARD -p tcp --dport $port -j ACCEPT
  iptables -t nat -A PREROUTING -d $DMZ_IP --dport $port -j DNAT --to $LAN_SERVER:$port

If you want requests to go to

for port in $server_ports; do
  iptables -A FORWARD -p tcp -i eth1 -d $LAN_SERVER --dport $port -j ACCEPT

This will not forward pings and such, only direct queries to the
relevant ports.  If you want to forward pings or something else (udp
traffic, etc) you'll have to set that up.  Also adding
ESTABLISHED,RELATED checking would be good, all the usual stuff.

Note - these rules are pretty rough, and also pretty open.  Look them
over carefully.  I haven't had much coffee yet :)

|   ,''`.					     Stephen Gran |
|  : :' :					 sgran@debian.org |
|  `. `'			Debian user, admin, and developer |
|    `-					    http://www.debian.org |

Attachment: pgpGtO0Ia68RX.pgp
Description: PGP signature

Reply to: