[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Static NAT w/ iptables problem

This one time, at band camp, Markus Trümper said:
> > I'm not sure I get you here.  Do you want to appear as
> > though it's running on,

> bingo.

> > You're just connecting two private networks (one a DMZ), and you set
> > aside an IP that will map to the DMZ address, correct?

> Yes.

Good.  Easy enough.

> Some additional info as to how this problem came to pass:
> We are part of a larger company (got purchased not too long ago). They
> want to access some of our servers. They provided a line and the
> subnet with the request to map the first server they
> want to access to My own internal network is,
> so snat seemed to be the obvious solution.
> As a special quirk the gateway machine to their network has a completely
> different address (public, I think) in it's own little (/29) network which
> is where the address of eth1 really is going to be.


> If the nat works i still need to configure some routing but I think I can
> do that on my own.
> OK, so I think what you have on the firewall machine is:
> eth0 ip
> eth1 ip a.b.c.d
> eth1:0 ip
> eth1:1 ip (I'll use this as a masquerading interface if we
>                        need to contact some server on their side)

/etc/network/interfaces should have something like:
(I don't know if you actually need to be on their netblock to route
packets correctly or not - this assumes no.  If I'm wrong, change eth1
to eth1:0, remove the gateway line and add a stanza for the real eth1
info.  Also add the auto lines)

iface eth1 inet static
        gateway (their gateway)

iface eth1:1 inet static

iface eth0 inet static


Based on that, you do the following (just for telnet for now):

# Gives any packets going out eth1 (physical interface) source address

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to (or .1, but .10 makes more sense)

# Any packet coming in to destination address, port 23 is
# remapped to, port 23

iptables -t nat -A PREROUTING -p tcp -d --dport 23 -j DNAT --to

# We agree to forward those packets internally

iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 23 -d -j ACCEPT

If this doesn't work for you, I'm not sure what the problem is - just
try running them one at a time and see where they error, if there is a
|   ,''`.					     Stephen Gran |
|  : :' :					 sgran@debian.org |
|  `. `'			Debian user, admin, and developer |
|    `-					    http://www.debian.org |

Attachment: pgp7jPvwJhdsX.pgp
Description: PGP signature

Reply to: