Re: Static NAT w/ iptables problem

To: Debian-Security <debian-security@lists.debian.org>
Subject: Re: Static NAT w/ iptables problem
From: Stephen Gran <sgran@debian.org>
Date: Mon, 16 Aug 2004 20:29:39 -0400
Message-id: <[🔎] 20040817002939.GA26523@www.lobefin.net>
Mail-followup-to: Debian-Security <debian-security@lists.debian.org>
In-reply-to: <[🔎] NGBBJBJAFKMIAAGGPNOIIEFGDPAA.m.truemper@daewoo-automobile.de>
References: <[🔎] NGBBJBJAFKMIAAGGPNOIIEFGDPAA.m.truemper@daewoo-automobile.de>

This one time, at band camp, Markus Trümper said:
> > I'm not sure I get you here.  Do you want 192.168.1.3 to appear as
> > though it's running on 10.80.137.1,

> bingo.

> > You're just connecting two private networks (one a DMZ), and you set
> > aside an IP that will map to the DMZ address, correct?

> Yes.

Good.  Easy enough.

> Some additional info as to how this problem came to pass:
> We are part of a larger company (got purchased not too long ago). They
> want to access some of our servers. They provided a line and the
> 10.80.137.0/24 subnet with the request to map the first server they
> want to access to 10.80.137.1. My own internal network is 192.168.1.0/24,
> so snat seemed to be the obvious solution.
> As a special quirk the gateway machine to their network has a completely
> different address (public, I think) in it's own little (/29) network which
> is where the address of eth1 really is going to be.

Gotcha.

> If the nat works i still need to configure some routing but I think I can
> do that on my own.
> 
> OK, so I think what you have on the firewall machine is:
> eth0 ip 192.168.1.7
> eth1 ip a.b.c.d
> eth1:0 ip 10.80.137.1
> eth1:1 ip 10.80.137.10 (I'll use this as a masquerading interface if we
>                        need to contact some server on their side)

/etc/network/interfaces should have something like:
(I don't know if you actually need to be on their netblock to route
packets correctly or not - this assumes no.  If I'm wrong, change eth1
to eth1:0, remove the gateway line and add a stanza for the real eth1
info.  Also add the auto lines)

iface eth1 inet static
        address 10.80.137.10
        netmask 255.255.255.0
        gateway (their gateway)

iface eth1:1 inet static
        address 10.80.137.1
        netmask 255.255.255.0

iface eth0 inet static
        address 192.168.1.7
        netmask 255.255.255.0

OK?  

Based on that, you do the following (just for telnet for now):

# Gives any packets going out eth1 (physical interface) source address
# 10.80.137.10

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 10.80.137.10 (or .1, but .10 makes more sense)

# Any packet coming in to destination address 10.80.137.1, port 23 is
# remapped to 192.168.1.3, port 23

iptables -t nat -A PREROUTING -p tcp -d 10.80.137.1 --dport 23 -j DNAT --to 192.168.1.3:23

# We agree to forward those packets internally

iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 23 -d 192.168.1.3 -j ACCEPT

If this doesn't work for you, I'm not sure what the problem is - just
try running them one at a time and see where they error, if there is a
problem.
-- 
 -----------------------------------------------------------------
|   ,''`.					     Stephen Gran |
|  : :' :					 sgran@debian.org |
|  `. `'			Debian user, admin, and developer |
|    `-					    http://www.debian.org |
 -----------------------------------------------------------------

Attachment: pgp7jPvwJhdsX.pgp
Description: PGP signature

Reply to:

References:
- Re: Static NAT w/ iptables problem
  - From: Markus Trümper <m.truemper@daewoo-automobile.de>

Prev by Date: Re: Big security hole in (my config of) PAM
Next by Date: Re: [sec] debian patched linux kernels
Previous by thread: Re: Static NAT w/ iptables problem
Next by thread: sshd: Logging illegal users
Index(es):
- Date
- Thread