Re: Problems with NAT

[Ray Leach <raymondl@knowledgefactory.co.za>]

[-- Attachment #1: Type: text/plain, Size: 2487 bytes --]

On Thu, 2003-05-29 at 17:15, Jose Luis Hime wrote:
> Dear all:
> 
> I have the following network:
>               :
>               :    /---------\
> /-------\  Leased  | Router  |  Leased  /----------\
> | LAN B |----------| without |----------| Internet |
> \-------/  Line 1  | NAT     |  Line 2  \----------/
>               :    \---------/
>               :         |
>               :         |
>               :   /----------\
>               :   | Firewall |      /-------\
>               :   | Linux    |------| LAN A |
>               :   | with NAT |      \-------/
>               :   \----------/
>               :
>    CITY "B"   :     CITY "A"
> 
> 1. The router, the firewall and LAN A are in city "A"
> 2. LAN B is in another city (city "B")
> 3. LAN A must access the internet, LAN B must not;
> 4. Unfortunately my router does not support NAT;
> 5. Both the router and the linux firewall have real internet IP addresses;
> 6. So:
>    - The linux firewall must NAT packets from LAN A to the internet;
>    - The linux firewall must not NAT packets from LAN A to LAN B;
> 
> I created rules in table "filter" allowing communication between LAN A and
> LAN B:
>    -t filter -A INPUT   -s LAN A -d LAN B -j ACCEPT
>    -t filter -A INPUT   -s LAN B -d LAN A -j ACCEPT
>    -t filter -A FORWARD -s LAN A -d LAN B -j ACCEPT
>    -t filter -A FORWARD -s LAN B -d LAN A -j ACCEPT
> 
> After that, I created one rule in table "nat" in order to allow LAN A
> accessing the internet:
>    -t nat -A POSTROUTING -s LAN A -d 0/0 -j SNAT --to Firewall_IP_address
> 
> The problem is that LAN A is making NAT to LAN B.
> 
> Is there a way to prevent the firewall from NATing from LAN A to LAN B? The
> problem is that both traffics (LAN A->internet and LAN A->LAN B) are going
> through the same interface...
> 
Sure, change your nat rule:
  -t nat -A POSTROUTING -s LAN A -d ! LAN B -j SNAT --to
Firewall_IP_address

> With ipchains, after reaching the INPUT and FORWARD rules the firewall
> would stop and would not reach the NAT rules. This behavior changed in
> iptables and it always check both tables (filter and nat).
> 
> Thanks in advance,
> Jose Hime
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]