Re: NAT question

["Dimitri Yioulos" <dyioulos@firstbhph.com>]

> >> Hello, all.
> >>  
> >> I've recently set up iptables-1.2.8-12.3 on a CentOS 3.4 (RHEL AS 3)
box.
> >> Among other things, I've created a DMZ where my Web and mail servers
> >>live.
> >> My problem is that my Web and mail servers identify themselves with the
> >> NAT
> >> ip address that I've assigned   Here's my NAT rule: 
> >> 
> >>  IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source 
> >> $INET_IP 
> >> 
> >> How can I get these two servers to identify themselves by their own ip
> >> addresses and still provide NAT for my users?
> 
> >specify the source address so that only packets from the inside network
> >match the SNAT rule:
> 
> >  iptables -t nat -A POSTROUTING -o $INET_IFACE -s $INSIDE_NET \
> >    -j SNAT --to-source $INET_IP
> 
> 
> Thanks to all for your replies!
> 
> I was hopeful about applying the above rule.  Internet connectivity is
fine;
> inbound mail is fine; outbound mail seems not to make it (if the list
> receives this, it's because I rolled back to the original rule).  Does
that
> make any sense?
> 
> Dimitri

-are your web and mail servers NAT-ed as well?  it was unclear from your
-original post, an i assumed that you were using Internet-routed IP space
-in your DMZ.  if this is not the case--you need to put your rules in the
-proper order.
-
-if you have a static (one-to-one) NAT for a DMZ machine, and also want
-to perform a hide NAT (many-to-one) NAT for your internal net's outbound
-traffic--you'd have something like:
-
-  # inbound one-to-one NAT for web server
-  iptables -t nat -A PREROUTING -i $INET_IFACE -d $WEB_SRV_PUB_IP \
-    -j DNAT --to-destination $WEB_SRV_PRIV_IP
-
-  # outbound one-to-one NAT for web server
-  iptables -t nat -A POSTROUTING -o $INET_IFACE -s $WEB_SRV_PRIV_IP \
-    -j SNAT --to-source $WEB_SRV_PUB_IP
-
-  # outbound many-to-one NAT for inside net
-  iptables -t nat -A POSTROUTING -o $INET_IFACE -s $INSIDE_NET \
-    -j SNAT --to-source $INET_IP

-order matters--place the one-to-one SNAT rules before any many-to-one
-SNAT rules.

-in order for packets destined for $WEB_SRV_PUB_IP to make it to your
-firewall's $INET_IFACE, it either needs to be routed that way by your
-upstream Internet router, or you need to add it as an alias:

-  ip addr add $WEB_SRV_PUB_IP dev $INET_IFACE

-HTH...   any sorry for misleading before.


Sorry for any confusion I may be causing.  Here's a little more info.:

I've aliased my Web and mail server public addresses to eth0:0 and eth0:1
(eth0 being the external interface).  I think I've read that this isn't the
optimal set-up, but it does work.  That shouldn't matter, should it?

The key here may be in omitting a NAT postrouting rule (sorry if the
terminology is incorrect).  Here's what I have:

IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 \
-j DNAT --to-destination $DMZ_HTTP_IP
IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $SMTP_IP --dport 25 \
-j DNAT --to-destination $DMZ_SMTP_IP
IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $SMTP_IP --dport 25 \
-j DNAT --to-destination $DMZ_SMTP_IP
IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $SMTP_IP --dport \
110 -j DNAT --to-destination $DMZ_SMTP_IP
IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $SMTP_IP --dport \
110 -j DNAT --to-destination $DMZ_SMTP_IP
IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

in that order.  I will change the last rule to include -s $INSIDE_NET.  I
also notice that I don't have the outbound one-to-one NAT for web or mail
servers. So, if I add: 

IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -s $WEB_SRV_PRIV_IP \
-j SNAT --to-source $WEB_SRV_PUB_IP 

and

IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -s $MAIL_SRV_PRIV_IP \
-j SNAT --to-source $MAIL_SRV_PUB_IP

just after the outbound many-to-one NAT for inside net as above, will I be
good?

Thanks so much for your time.