From: ATest@sbsdk12.org (Coutts, Ashe (Testing Account))
To: netfilter@lists.netfilter.org
Subject: Not quite understanding DNAT
Date: Thu, 24 Jul 2003 09:22:54 -0700 [thread overview]
Message-ID: <3F1FA56E.28480.E59161E@localhost> (raw)
In-Reply-To: <200307241556.53796.rio@martin.mu>
I have set up a very basic firewall for our system.
We have 126 addresses to be used to/from the outside world (204.48.178.0/25)
and are using 10.x numbers on the inside.
It is working almost as I expected except for the following. The DNAT
connections come into the system fine but are seen as originating from the
eth0 interface rather than their eth0:x interface. So, when attaching to a linux
cpu with ssh I am needing to place the ip# for the eth0 interface in the
hosts.allow file rather than the much more restrictive eth0:x ip#. Can it be set
up so the connection is between the external eth0:x ip# and its linked internal
ip#?
Any help or suggestions would be greatly appreciated.
Thanks
============ Start iptables script ================
#!/bin/sh
/root/bin/NatReset
# First the "outside" eth0 interface on the firewall
/sbin/ifconfig eth0 204.48.178.2 netmask 255.255.255.128 \
broadcast 204.48.178.127 up
### Now add aliases to eth0 to users/hosts from the outside.
/sbin/ifconfig eth0:3 204.48.178.3 netmask 255.255.255.128 \
broadcast 204.48.178.127 up
/sbin/ifconfig eth0:4 204.48.178.4 netmask 255.255.255.128 \
broadcast 204.48.178.127 up
/sbin/ifconfig eth0:4 204.48.178.5 netmask 255.255.255.128 \
broadcast 204.48.178.127 up
### ethernet "eth1", i.e. the "inside" interface for the firewall
/sbin/ifconfig eth1 10.0.0.1 netmask 255.255.255.248 \
broadcast 10.0.0.7 up
## Set up outside access to the mainframe
/sbin/iptables --table nat --append PREROUTING --destination 204.48.178.3 \
--jump DNAT --to 10.5.2.104
## Set up outside access to a Windows 2000 cpu
/sbin/iptables --table nat --append PREROUTING --destination 204.48.178.4 \
--jump DNAT --to 10.5.2.105
# Set up inside and outside 1 to 1 mapping for W2K user
/sbin/iptables --table nat --append PREROUTING --destination 204.48.178.5 \
--jump DNAT --to 10.5.2.107
/sbin/iptables --table nat --append POSTROUTING --source 10.5.2.107/32 \
--jump SNAT --to 204.48.178.5
## Setup NAT from entire WAN to the outside world
/sbin/iptables --table nat --append POSTROUTING --source 0.0.0.0/0 \
--jump SNAT --to 204.48.178.2
## Now set the genaral policies
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy FORWARD ACCEPT
/sbin/iptables --policy OUTPUT DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
============ End iptables script ================
"Experience is not what happens to you, it
is what you do with what happens to you"
-- Aldous Huxley (1894-1963)
Ashe Coutts (acoutts@sbsdk12.org)
805.963.7751 Ext 260
Fax 805.884.1557
next prev parent reply other threads:[~2003-07-24 16:22 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-07-24 7:00 DNAT question Rio Martin.
2003-07-24 8:29 ` Philip Craig
2003-07-24 8:56 ` Rio Martin.
2003-07-24 9:42 ` Chris Wilson
2003-07-24 13:37 ` Gonzalez, Federico
2003-07-24 14:16 ` Cedric Blancher
2003-07-24 16:22 ` Coutts, Ashe (Testing Account) [this message]
2003-07-24 16:43 ` Not quite understanding DNAT Aldo S. Lagana
2003-07-25 0:14 ` Philip Craig
2003-07-25 9:47 ` Chris Wilson
2003-07-25 10:10 ` Cedric Blancher
-- strict thread matches above, loose matches on Subject: below --
2003-07-24 17:14 Daniel Chemko
2003-07-24 17:47 ` Ramin Dousti
2003-07-24 22:06 George Vieira
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3F1FA56E.28480.E59161E@localhost \
--to=atest@sbsdk12.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox