hi,
I have firewall box with Redhat 8.0 (kernel 2.4.18-24.8.0) and
iptables v1.2.6a
installed and 8 public ip addresses ,let's say
195.12.1.0/29.
My firewall box has 3 NIC's.
eth1(195.12.1.1)----FW-----eth2 (192.168.1.2)-----Cisco
---INTERNET
|
|
eth0(10.3.1.1)
Behind eth0 I have planned internal network of 10.3.1.0/24
Behind
eth1 will be connected some public computers with no access to internal
LAN.
Eth2 has a link with Cisco C1601 having test class ip's for
link
(192.168.1.0/24 , 192.168.1.2 at fw side and 192.168.1.1 at cisco's
side)
The reason why I have test ip's for link is that I haven't got enough
public ip's to
complete my plan.I have 2 servers in internal LAN. Both MUST
have separate ip's.
When I divide 195.12.1.0/29 into 2 different networks
195.12.1.0/30(eth2)
and 195.12.1.4/30 I have no ip's left for internal
servers.
But in that case I have no trouble translating internal LAN
behind eth0 to eth2.
My problem is that I don't know how to translate internal LAN to eth1
when I have
test ip's for link at eth2.Being more specific I have no idea
how accomplish it with
Linux. For Cisco IOS following should work:
interface Ethernet1
ip address 195.12.1.1
255.255.255.248
no ip directed-broadcast
ip nat
outside
!
interface Serial0
ip address 192.168.1.1
255.255.255.0
no ip directed-broadcast
ip nat
outside
!
ip nat inside source list 1 interface Ethernet1 overload
ip
classless
!
access-list 1 permit 10.3.1.0 0.0.0.255
Has anyone implemented similar solution and know's how to translate
LAN
to public ip at eth1 (195.12.1.1) while eth2 with test class ip's
is
connected to Internet ?
Thanks,
vmtesting
FW box routing table:
Kernel IP routing table
Destination
Gateway
Genmask Flags Metric
Ref Use Iface
195.12.1.0
0.0.0.0 255.255.255.248
U 0
0 0
eth1
192.168.1.0
0.0.0.0
255.255.255.0 U
0 0 0
eth2
10.3.0.0
0.0.0.0
255.255.255.0 U
0 0 0
eth0
127.0.0.0
0.0.0.0
255.0.0.0 U
0 0 0
lo
0.0.0.0
192.168.1.1
0.0.0.0 UG
0 0 0
eth2
IPtables truncated script for NAT:
#!/bin/sh
# This is the location of the iptables
command
IPTABLES="/sbin/iptables"
case "$1" in
stop)
echo "Shutting down firewall..."
$IPTABLES
-F
$IPTABLES -F -t
mangle
$IPTABLES -F -t
nat
$IPTABLES
-X
$IPTABLES -X -t
mangle
$IPTABLES -X -t
nat
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P
OUTPUT ACCEPT
$IPTABLES -P FORWARD
ACCEPT
echo
"...done"
;;
status)
echo $"Table:
filter"
iptables
--list
echo $"Table:
nat"
iptables -t nat
--list
echo $"Table:
mangle"
iptables -t mangle
--list
;;
restart|reload)
$0
stop
$0
start
;;
start)
echo "Starting Firewall..."
echo ""
##--------------------------Begin
Firewall---------------------------------##
#----Default-Interfaces-----#
LINKIF="eth2"
EXTIF="eth1"
INTIF="eth0"
INTLAN="10.3.1.0/255.255.255.0"
INTIP="10.3.1.1"
INTMASK="255.255.255.0"
EXTIP="195.12.1.1"
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t
mangle
$IPTABLES -X -t nat
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P
FORWARD ACCEPT
###################
## POSTROUTING
##
###################
#Masquerade from Internal Net to External Net
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTLAN -j SNAT --to
$EXTIP
#------End Ruleset------#
echo "...done"
echo ""
echo "{>o-< IPTABLES firewall activated :-))"
##--------------------------------End
Firewall---------------------------------##
;;
*)
echo
"Usage: firewall (start|stop|restart|status) EXTIF
INTIF"
exit 1
esac
exit 0
