On Tue, 2002-12-10 at 03:32, Jason Liao wrote: > Hi Ray, > > Thank you for your reply, but maybe I was not clear in the original > post: The destination of the incoming traffic is the firewall machine > itself, just the destination IP address is of the DMZ interface. Does that mean that the traffic is :- a) coming in via the DMZ with a destination of the DMZ interface or b) that the traffic is coming in via another interface (e.g. the internal interface) with a destination of the DMZ interface. In the case of a) there is :- INPUT, (maybe PREROUTING). In the case of b) there is :- (maybe PREROUTING), INPUT, FORWARD, (maybe POSTROUTING). > For > this reason, the FORWARD rule won't be checked because it is basically > INPUT traffic. Another issue is that the traffic is IPSec so that any > change to the source address (SNAT) will break the IPSec authentication. > Then this basically leaves you with either tunneling (isn't that what IPSec is?) or pure routing (FORWARDing). > Thanks again for your suggestions. > > Best regards, > > Jason Liao > > Raymond Leach wrote: > > > > Hi > > > > Use SNAT on the POSTROUTING chain in the NAT table. > > > > iptables -t nat -A POSTROUTING -d $NET_DMZ -j SNAT --to-source > > $IP_DMZ_IFACE > > > > also you would need a FORWARD rule to route the initial traffic: > > iptables -A FORWARD -d $NET_DMZ -j ACCEPT > > > > These are the least restrictive examples of possible rules. The above > > assumes you have public ips in your DMZ. > > > > Ray > > > > On Fri, 2002-12-06 at 18:41, Jason Liao wrote: > > > Hi, > > > > > > I have a firewall running iptables with 3 interfaces: LAN, WAN and DMZ. > > > The LAN IP address is 10.0.0.1/24, WAN 66.134.34.157/28, and DMZ > > > 66.134.34.249/28. The WAN interface connects to the Internet and the > > > DMZ interface connects to a stub network. > > > > > > When someone sends a packet to the IP address of the DMZ interface from > > > the Internet, the packet x.x.x.x->66.134.34.249 arrives at the WAN > > > interface. I want to know if there is a way using iptables (maybe with > > > other tools such as iproute2) to make this packet to appear as if it > > > arrives at the DMZ interface. The packet itself should not be > > > modified. I need this to work because I am running an IPSec VPN with > > > FreeS/WAN on the DMZ interface. When the ESP packets arrives on the WAN > > > interface, they cannot be properly processed by IPSec because the ipsec0 > > > interface is tied to the DMZ interface directly. > > > > > > I looked at the mangle table but could not figure out if it is the right > > > direction. I read about the ROUTE target but do not know if this target > > > is for diverting packets to be sent OUT on another interface, or can it > > > be used to change a packet's arriving interface. > > > > > > Thanks in advance. > > > > > > Jason Liao > > --
Attachment:
signature.asc
Description: This is a digitally signed message part
