This one time, at band camp, Markus Trümper said: > > I'm not sure I get you here. Do you want 192.168.1.3 to appear as > > though it's running on 10.80.137.1, > bingo. > > You're just connecting two private networks (one a DMZ), and you set > > aside an IP that will map to the DMZ address, correct? > Yes. Good. Easy enough. > Some additional info as to how this problem came to pass: > We are part of a larger company (got purchased not too long ago). They > want to access some of our servers. They provided a line and the > 10.80.137.0/24 subnet with the request to map the first server they > want to access to 10.80.137.1. My own internal network is 192.168.1.0/24, > so snat seemed to be the obvious solution. > As a special quirk the gateway machine to their network has a completely > different address (public, I think) in it's own little (/29) network which > is where the address of eth1 really is going to be. Gotcha. > If the nat works i still need to configure some routing but I think I can > do that on my own. > > OK, so I think what you have on the firewall machine is: > eth0 ip 192.168.1.7 > eth1 ip a.b.c.d > eth1:0 ip 10.80.137.1 > eth1:1 ip 10.80.137.10 (I'll use this as a masquerading interface if we > need to contact some server on their side) /etc/network/interfaces should have something like: (I don't know if you actually need to be on their netblock to route packets correctly or not - this assumes no. If I'm wrong, change eth1 to eth1:0, remove the gateway line and add a stanza for the real eth1 info. Also add the auto lines) iface eth1 inet static address 10.80.137.10 netmask 255.255.255.0 gateway (their gateway) iface eth1:1 inet static address 10.80.137.1 netmask 255.255.255.0 iface eth0 inet static address 192.168.1.7 netmask 255.255.255.0 OK? Based on that, you do the following (just for telnet for now): # Gives any packets going out eth1 (physical interface) source address # 10.80.137.10 iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 10.80.137.10 (or .1, but .10 makes more sense) # Any packet coming in to destination address 10.80.137.1, port 23 is # remapped to 192.168.1.3, port 23 iptables -t nat -A PREROUTING -p tcp -d 10.80.137.1 --dport 23 -j DNAT --to 192.168.1.3:23 # We agree to forward those packets internally iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 23 -d 192.168.1.3 -j ACCEPT If this doesn't work for you, I'm not sure what the problem is - just try running them one at a time and see where they error, if there is a problem. -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : sgran@debian.org | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
Attachment:
pgp7jPvwJhdsX.pgp
Description: PGP signature