All of lore.kernel.org
 help / color / mirror / Atom feed
* 1:1 NAT
@ 2003-01-21 16:00 Mike
  2003-01-21 16:41 ` Maciej Soltysiak
                   ` (2 more replies)
  0 siblings, 3 replies; 10+ messages in thread
From: Mike @ 2003-01-21 16:00 UTC (permalink / raw)
  To: netfilter

Can anyone point me to some docs on setting up 1:1 NAT on netfilter?

What I am trying to do is like how its done on cisco PIX i.e
"static (inside,outside) 208.15.232.12 192.168.1.167 netmask 255.255.255.255
0 0"

That way I don't have to do IP alias on my ethernet card.

Thanks,

Mike



^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: 1:1 NAT
@ 2003-01-21 17:00 Walther
  0 siblings, 0 replies; 10+ messages in thread
From: Walther @ 2003-01-21 17:00 UTC (permalink / raw)
  To: Mike; +Cc: netfilter

hi,

from outside to inside:

iptables -t nat -A PREROUTING -d 208.15.232.12 -j DNAT --to 192.168.1.167

the other way around:

iptables -t nat -A POSTROUTING -s 192.168.1.167 -j SNAT --to 208.15.131.12

you should specify the input and output interface as well like this:

iptables -t nat -A PREROUTING -i <external-interface> -o 
<internal-interface> -d 208.15.232.12 -j DNAT --to 192.168.1.167

and 

iptables -t nat -A POSTROUTING -i <internal-interface> -o 
<external-interface> -s 192.168.1.167 -j SNAT --to 208.15.232.12

Best Regards,
MfG.

Stefan Walther
stefan_walther@gehag-dsk.de
dienst.: +4930/89786448
Funk: +49172/3943961
http://www.gehag-dsk.de

-------------------------------------------------------------- 
Linux/UNIX is like an Indian Tipi:
No Windows, no Gates and Apache inside.

Outgoing Mail is certified mistake-free. 
Examined by DOGMATIC infallibility system. 
Version 6.04




"Mike" <mikeeo@msn.com>
Sent by: netfilter-admin@lists.netfilter.org
21.01.2003 17:00

 
        To:     <netfilter@lists.netfilter.org>
        cc: 
        Subject:        1:1 NAT


Can anyone point me to some docs on setting up 1:1 NAT on netfilter?

What I am trying to do is like how its done on cisco PIX i.e
"static (inside,outside) 208.15.232.12 192.168.1.167 netmask 
255.255.255.255
0 0"

That way I don't have to do IP alias on my ethernet card.

Thanks,

Mike







^ permalink raw reply	[flat|nested] 10+ messages in thread
* 1:1 NAT
@ 2003-02-01 18:20 Federico Cruciani
  0 siblings, 0 replies; 10+ messages in thread
From: Federico Cruciani @ 2003-02-01 18:20 UTC (permalink / raw)
  To: netfilter

> What I am trying to do is like how its done on cisco PIX i.e
> "static (inside,outside) 208.15.232.12 192.168.1.167 netmask
255.255.255.255
> 0 0"		

Cisco PIX does proxy-arp automatically if the external IP address in the nat
statement is not assigned on its outside interface. So, to build something
similar, what you need is to activate proxy-arp on your Iptables box and
publish on the external network the public IP address you want to nat which
are not physically assigned on the iptables box.

Following your example, suppose that your iptables Linux box have an
<fw_outside_address> on the external interface, eth0, different from the one
you want to nat, <public_address> (which is 208.15.232.12 in your example),
to an host in your internal network which has <internal_address>. Eth1 is
the firewall internal  interface with address <fw_internal_address>.

First you need two iptables rules, one for inbound packets and one for
translating outbound packets:

 iptables -t nat -A PREROUTING -i eth0 -d <public_address> -j DNAT
--to-destination <internal_address>

 iptables -t nat -A POSTROUTING -o eth0 -s <internal_address> -j SNAT
--to-source <public_address>

This is not sufficient for Linux and iptables to make the <internal_address>
host work on the internet as expected. We have to add commands to activate
proxy arp and to tell your firewall where the packets for <public_address>
have to be sent.


So, in the second step we have to pubilsh the <public_address> on the
external interface with the arp command:

 arp -Ds <public_address> eth0 pub

(If you like, I have a patched version of the Red Hat /etc/init.d/network
script which read and set static ARPs from a file, /etc/init.d/static-arp)


Finally the most important step consists in adding a static route on the
iptables box for the <public_address> toward the inside interface where the
internal host live:

 route add -host <public_address> dev eth1


This is the solution I have found working and that I'm using in a lot of
different network scenarios.
Hope this could help you.

Iok




^ permalink raw reply	[flat|nested] 10+ messages in thread
end of thread, other threads:[~2003-02-01 18:20 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-01-21 16:00 1:1 NAT Mike
2003-01-21 16:41 ` Maciej Soltysiak
2003-01-22  5:21 ` Raymond Leach
2003-01-22  6:42   ` Martin Josefsson
2003-01-22  6:50     ` Raymond Leach
2003-01-22  7:02       ` Martin Josefsson
2003-01-22  7:03         ` Raymond Leach
2003-01-27 18:38 ` 1:1 NAT/Not working Mike
  -- strict thread matches above, loose matches on Subject: below --
2003-01-21 17:00 1:1 NAT Walther
2003-02-01 18:20 Federico Cruciani

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.