From: Ray Leach <raymondl@knowledgefactory.co.za>
To: Netfilter Mailing List <netfilter@lists.netfilter.org>
Subject: Re: Problems with NAT
Date: 29 May 2003 17:55:19 +0200 [thread overview]
Message-ID: <1054223719.13048.37.camel@raylinux.internal> (raw)
In-Reply-To: <001d01c325f5$1ab72010$010319ac@jhime>
[-- Attachment #1: Type: text/plain, Size: 2487 bytes --]
On Thu, 2003-05-29 at 17:15, Jose Luis Hime wrote:
> Dear all:
>
> I have the following network:
> :
> : /---------\
> /-------\ Leased | Router | Leased /----------\
> | LAN B |----------| without |----------| Internet |
> \-------/ Line 1 | NAT | Line 2 \----------/
> : \---------/
> : |
> : |
> : /----------\
> : | Firewall | /-------\
> : | Linux |------| LAN A |
> : | with NAT | \-------/
> : \----------/
> :
> CITY "B" : CITY "A"
>
> 1. The router, the firewall and LAN A are in city "A"
> 2. LAN B is in another city (city "B")
> 3. LAN A must access the internet, LAN B must not;
> 4. Unfortunately my router does not support NAT;
> 5. Both the router and the linux firewall have real internet IP addresses;
> 6. So:
> - The linux firewall must NAT packets from LAN A to the internet;
> - The linux firewall must not NAT packets from LAN A to LAN B;
>
> I created rules in table "filter" allowing communication between LAN A and
> LAN B:
> -t filter -A INPUT -s LAN A -d LAN B -j ACCEPT
> -t filter -A INPUT -s LAN B -d LAN A -j ACCEPT
> -t filter -A FORWARD -s LAN A -d LAN B -j ACCEPT
> -t filter -A FORWARD -s LAN B -d LAN A -j ACCEPT
>
> After that, I created one rule in table "nat" in order to allow LAN A
> accessing the internet:
> -t nat -A POSTROUTING -s LAN A -d 0/0 -j SNAT --to Firewall_IP_address
>
> The problem is that LAN A is making NAT to LAN B.
>
> Is there a way to prevent the firewall from NATing from LAN A to LAN B? The
> problem is that both traffics (LAN A->internet and LAN A->LAN B) are going
> through the same interface...
>
Sure, change your nat rule:
-t nat -A POSTROUTING -s LAN A -d ! LAN B -j SNAT --to
Firewall_IP_address
> With ipchains, after reaching the INPUT and FORWARD rules the firewall
> would stop and would not reach the NAT rules. This behavior changed in
> iptables and it always check both tables (filter and nat).
>
> Thanks in advance,
> Jose Hime
--
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28
--
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2003-05-29 15:55 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-05-29 15:15 Problems with NAT Jose Luis Hime
2003-05-29 15:55 ` Ray Leach [this message]
2003-05-29 17:15 ` Jose Luis Hime
2003-05-30 6:04 ` Ray Leach
-- strict thread matches above, loose matches on Subject: below --
2003-09-27 16:44 Adam Mercer
2003-09-28 3:30 ` Mark E. Donaldson
2003-09-28 7:36 ` Adam Mercer
2003-05-30 6:57 George Vieira
2003-05-30 2:30 George Vieira
2003-05-29 22:09 George Vieira
2003-05-29 23:02 ` Jose Luis Hime
2003-05-30 1:59 ` Matt Hellman
2003-05-30 2:01 ` Matt Hellman
2002-11-13 18:13 problems with nat Rahul Jadhav
2002-11-13 19:20 ` Ben Russo
2002-11-13 20:01 ` Rahul Jadhav
2002-11-16 18:58 ` Joel Newkirk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1054223719.13048.37.camel@raylinux.internal \
--to=raymondl@knowledgefactory.co.za \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox