Re: Static NAT w/ iptables problem

To: debian-security@lists.debian.org
Subject: Re: Static NAT w/ iptables problem
From: Stephen Gran <sgran@debian.org>
Date: Sat, 14 Aug 2004 11:37:43 -0400
Message-id: <[🔎] 20040814153743.GA7751@www.lobefin.net>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] NGBBJBJAFKMIAAGGPNOIIEEHDPAA.m.truemper@daewoo-automobile.de>
References: <[🔎] NGBBJBJAFKMIAAGGPNOIIEEHDPAA.m.truemper@daewoo-automobile.de>

This one time, at band camp, Markus Trümper said:
>  Hello,
> 
> I'm trying to set up a firewall to do static NAT between two networks:
> 
>    internal network
>     192.168.1.0/24
> 
>    server 192.168.1.3
>        |
>      LAN_IF 192.168.1.7
>     Firewall
>      EXT_IF 10.80.137.1, 10.80.137.10
>        |
>       DMZ
>     10.80.137.0/24
> 
> 'server' should be reachable from the DMZ by talking to 10.80.137.1. That
> address has no other purpose.
> Default policies are currently ACCEPT. All the tables have been cleared before
> I installed the rules posted below.
> Testing is done by connecting a dedicated computer to each interface and trying
> to reach the one on the internal net from the DMZ. The firewall can reach each
> computer and each computer can reach the firewall (ping).

I'm not sure I get you here.  Do you want 192.168.1.3 to appear as
though it's running on 10.80.137.1, or do you want it to appear as
itself, but be protected by a firewall?  You're just connecting two
private networks (one a DMZ), and you set aside an IP that will map to
the DMZ address, correct?

> My rules so far don't work. I can not reach 'server' by talking to 10.80.137.1
> on the external IF of the Firewall. Any idea why?
> 
> I hope that the two networks are both private networks does not create a problem
> here.

No, that's no problem.

OK, so I think what you have on the firewall machine is:
eth0 ip 192.168.1.7
eth1 ip 10.80.137.10
eth1:0 ip 10.80.137.1

(I will base my rules on that idea - if not, substitute)

If you want requests to go to 10.80.137.1:

DMZ_IP=10.80.137.1
LAN_SERVER=192.168.1.3

for port in $server_ports; do
  iptables -A FORWARD -p tcp --dport $port -j ACCEPT
  iptables -t nat -A PREROUTING -d $DMZ_IP --dport $port -j DNAT --to $LAN_SERVER:$port
done

If you want requests to go to 192.168.1.3:

LAN_SERVER=192.168.1.3
for port in $server_ports; do
  iptables -A FORWARD -p tcp -i eth1 -d $LAN_SERVER --dport $port -j ACCEPT
done

This will not forward pings and such, only direct queries to the
relevant ports.  If you want to forward pings or something else (udp
traffic, etc) you'll have to set that up.  Also adding
ESTABLISHED,RELATED checking would be good, all the usual stuff.

Note - these rules are pretty rough, and also pretty open.  Look them
over carefully.  I haven't had much coffee yet :)

HTH,
-- 
 -----------------------------------------------------------------
|   ,''`.					     Stephen Gran |
|  : :' :					 sgran@debian.org |
|  `. `'			Debian user, admin, and developer |
|    `-					    http://www.debian.org |
 -----------------------------------------------------------------

Attachment: pgpGtO0Ia68RX.pgp
Description: PGP signature

Reply to:

References:
- Static NAT w/ iptables problem
  - From: Markus Trümper <m.truemper@daewoo-automobile.de>

Prev by Date: unsubscribe
Next by Date: Re: Static NAT w/ iptables problem
Previous by thread: Static NAT w/ iptables problem
Next by thread: Re: Static NAT w/ iptables problem
Index(es):
- Date
- Thread