Re: Static NAT w/ iptables problem

To: "Debian-Security" <debian-security@lists.debian.org>
Subject: Re: Static NAT w/ iptables problem
From: Markus Trümper <m.truemper@daewoo-automobile.de>
Date: Mon, 16 Aug 2004 16:31:24 +0200
Message-id: <[🔎] NGBBJBJAFKMIAAGGPNOIIEFGDPAA.m.truemper@daewoo-automobile.de>

> I'm not sure I get you here.  Do you want 192.168.1.3 to appear as
> though it's running on 10.80.137.1,
bingo.
> You're just connecting two private networks (one a DMZ), and you set
> aside an IP that will map to the DMZ address, correct?
Yes.

Some additional info as to how this problem came to pass:
We are part of a larger company (got purchased not too long ago). They
want to access some of our servers. They provided a line and the
10.80.137.0/24 subnet with the request to map the first server they
want to access to 10.80.137.1. My own internal network is 192.168.1.0/24,
so snat seemed to be the obvious solution.
As a special quirk the gateway machine to their network has a completely
different address (public, I think) in it's own little (/29) network which
is where the address of eth1 really is going to be.

If the nat works i still need to configure some routing but I think I can
do that on my own.

OK, so I think what you have on the firewall machine is:
eth0 ip 192.168.1.7
eth1 ip a.b.c.d
eth1:0 ip 10.80.137.1
eth1:1 ip 10.80.137.10 (I'll use this as a masquerading interface if we
                       need to contact some server on their side)

> (I will base my rules on that idea - if not, substitute)

> DMZ_IP=10.80.137.1
> LAN_SERVER=192.168.1.3
(currently a machine I test with, ...195, but basically yes).

> for port in $server_ports; do
>   iptables -A FORWARD -p tcp --dport $port -j ACCEPT
>   iptables -t nat -A PREROUTING -d $DMZ_IP --dport $port -j DNAT --to $LAN_SERVER:$port
> done
>
> If you want requests to go to 192.168.1.3:
>
> LAN_SERVER=192.168.1.3
> for port in $server_ports; do
>   iptables -A FORWARD -p tcp -i eth1 -d $LAN_SERVER --dport $port -j ACCEPT
> done

I did define server_ports="23" for telnet. I even added -m mport.
I'm sorry, I could get neither to fly. It said
  iptables: No chain/target/match by that name.

Currently I just want it to work with telnet, everything else is currently considered
icing on the cake.

Best regards,
  Markus

---------------------------------------------------------------------------------
| Dipl. Inform. Markus Trümper             |                                    |
|                                          | Daewoo Automobile Deutschland GmbH |
| email:   m.truemper@daewoo-automobile.de | Lindenstraße 110                   |
| www:     http://www.daewoo-automobile.de | 28755 Bremen                       |
| Telefon: +49 (0)421 668-4138             | Germany                            |
| Fax:     +49 (0)421 668-4192             |                                    |
---------------------------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: Static NAT w/ iptables problem
  - From: Stephen Gran <sgran@debian.org>

Prev by Date: Re: Static NAT w/ iptables problem
Next by Date: Big security hole in (my config of) PAM
Previous by thread: Re: Static NAT w/ iptables problem
Next by thread: Re: Static NAT w/ iptables problem
Index(es):
- Date
- Thread