On Fri, Jan 31, 2003 at 09:58:35AM +0000, Katriel Traum wrote: > On Thursday 30 January 2003 19:34, Athan wrote: > > On Thu, Jan 30, 2003 at 07:31:38PM +0000, Katriel Traum wrote: > > > I want to redirect _all_ traffic into the DMZ (is that even possible?) > > > and in the same time MASQ the LAN. The question is will they collide? If > > > I use a ruleset such as: > > > iptables -A PREROUTING -i $INET_IF -j DNAT --to-destination $DMZ_IP > > > iptables -A POSTROUTING -o $INET_IF -j MASQUERADE > > > (yes, there's only one computer in the DMZ) > > > > > > Will I get return traffic into my lan? won't it be DNATed into the DMZ? > > > > You need at least one public IP that is *NOT* in the DMZ. Then change > > the DMZ rule to exclude on this: > > > > iptables -A PREROUTING -i $INET_IF -d ! <not-DMZ IP> -j DNAT > > --to-destination $DMZ_IP > > Well, the problem is I have 1 public IP via a cable modem. > So I ask again, if I DNAT everything into the DMZ lan, and try to MASQ my > private lan, will I even get return traffic? That would be a problem yes, as the PREROUTING gets done before the POSTROUTING and will change the packets prior to the routing decision. You may be able to get away with reserving a range of ports to be used with SNAT though as the --to-source argument can take a range of port numbers. iptables -A PREROUTING -i $INET_IF -p tcp --dport ! port1:port2 -j DNAT --to-destination $IP iptables -A POSTROUTING -o $INET_IF -s <LAN network> -j SNAT --to-source $IP:port1-port2 Note that the DNAT rule DOES now mention protocol explicitly, it has to for --dport to be valid. Duplicate the line with "-p udp" if you also need UDP to be working. For non UDP/TCP (i.e. ICMP) to work correctly you have to hope a few rules with the appropriate -m state will do the right thing. AIUI they should as how they treat things should be based on the connection tracking table. HTH, -Ath -- - Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/ Finger athan(at)fysh.org for PGP key "And it's me who is my enemy. Me who beats me up. Me who makes the monsters. Me who strips my confidence." Paula Cole - ME
Attachment:
pgp00296.pgp
Description: PGP signature
