|
hi,
I have firewall box with Redhat 8.0 (kernel 2.4.18-24.8.0) and
iptables v1.2.6a
installed and 8 public ip addresses ,let's say 195.12.1.0/29. My firewall box has 3 NIC's.
eth1(195.12.1.1)----FW-----eth2 (192.168.1.2)-----Cisco ---INTERNET | | eth0(10.3.1.1) Behind eth0 I have planned internal network of 10.3.1.0/24 Behind eth1 will be connected some public computers with no access to internal LAN. Eth2 has a link with Cisco C1601 having test class ip's for link (192.168.1.0/24 , 192.168.1.2 at fw side and 192.168.1.1 at cisco's side) The reason why I have test ip's for link is that I haven't got enough
public ip's to
complete my plan.I have 2 servers in internal LAN. Both MUST have separate ip's. When I divide 195.12.1.0/29 into 2 different networks
195.12.1.0/30(eth2)
and 195.12.1.4/30 I have no ip's left for internal servers. But in that case I have no trouble translating internal LAN behind eth0 to eth2. My problem is that I don't know how to translate internal LAN to eth1 when
I have
test ip's for link at eth2.Being more specific I have no idea how accomplish it with Linux. For Cisco IOS following should work: interface Ethernet1
ip address 195.12.1.1 255.255.255.248 no ip directed-broadcast ip nat outside ! interface Serial0 ip address 192.168.1.1 255.255.255.0 no ip directed-broadcast ip nat outside ! ip nat inside source list 1 interface Ethernet1 overload ip classless ! access-list 1 permit 10.3.1.0 0.0.0.255 Has anyone implemented similar solution and know's how to translate
LAN
to public ip at eth1 (195.12.1.1) while eth2 with test class ip's is connected to Internet ? Thanks,
vmtesting FW box routing table:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface 195.12.1.0 0.0.0.0 255.255.255.248 U 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 10.3.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth2 IPtables truncated script for NAT:
#!/bin/sh
# This is the location of the iptables
command
IPTABLES="/sbin/iptables" case "$1" in stop) echo "Shutting down firewall..." $IPTABLES -F $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -X -t mangle $IPTABLES -X -t nat $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT echo "...done" ;; status) echo $"Table: filter" iptables --list echo $"Table: nat" iptables -t nat --list echo $"Table: mangle" iptables -t mangle --list ;; restart|reload) $0 stop $0 start ;; start) echo "Starting Firewall..." echo "" ##--------------------------Begin Firewall---------------------------------## #----Default-Interfaces-----# LINKIF="eth2" EXTIF="eth1" INTIF="eth0" INTLAN="10.3.1.0/255.255.255.0"
INTIP="10.3.1.1" INTMASK="255.255.255.0" EXTIP="195.12.1.1" $IPTABLES -F
$IPTABLES -F -t nat $IPTABLES -X $IPTABLES -X -t mangle $IPTABLES -X -t nat $IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT ###################
## POSTROUTING ## ################### #Masquerade from Internal Net to External Net
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTLAN -j SNAT --to $EXTIP #------End Ruleset------# echo "...done"
echo "" echo "{>o-< IPTABLES firewall activated :-))" ##--------------------------------End Firewall---------------------------------## ;;
*) echo "Usage: firewall (start|stop|restart|status) EXTIF INTIF" exit 1 esac exit 0
|
