RE: Using IPTABLES, cannot go to External Interface

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Title: RE: Using IPTABLES, cannot go to External Interface

HI


The setup is like this

I have a RedHat linux with three LAN cards into it.

eth0 = Public IP
eth0:0 = Public IP
eth0:0 - eth0:3 = Public IPs

eth1 = Private IP (Internal Net)
eth2 = DMZ IPs (Private ones)(Here I have 4 machines with DMZ IPs)

DNAT    - Anything entering to eht0 (External Interface) looking for eth0:0 - eth0:3 should be DNATted to DMZ Ips.
        - Anything entering to eth1 (Internal Interface) looking for eth0:0 - eth0:3 should be DNATted to DMZ Ips
        - Anything entering to eth2 (DMZ Interface) looking for eth0:0 - eth0:3 should be DNATted to DMZ Ips

SNAT - Anything going out from (Source eth1 (Internal Net) and (DMZ NET) Destination 0.0.0.0/0 and eth2) should be

     - Anything from DMZ to Internal should be SNATted to DMZ_IF
       

SNATted --to-source eth0

All the traffice from External World is able to reach to my servers in the DMZ. I mean, if someone has to log on to the web server at eth0:0 port 80, he/she is able to do so.

But, No one from INTERNAL NET is able to reach to the servers. If I have a mchine with Internal IP Address and want to log onto the web server from within my network, I cannot do so.

If I access Yahoo.com or anyother site, I can do so from withing my network using Internal IP Address.

Hope this explains.






-----Original Message-----
From: Cedric Blancher [mailto:blancher@xxxxxxxxxxxxxxxxxx]
Sent: Monday, June 16, 2003 3:46 PM
To: Deshwal Chand
Cc: Netfilter (E-mail)
Subject: Re: Using IPTABLES, cannot go to External Interface


Le lun 16/06/2003 à 09:51, Deshwal Chand a écrit :
> I am running a script for IPTABLES.
> I have assigned 3 more IP addresses to my external interface.
> eth0 - x.y.z.1
> eth0:0 - x.y.z.2
> eth0:1 - x.y.z.3
> eth0:2 - x.y.z.4
> I have SNATed my internal network to eth0. I can do all the things.
> But, I cannot reach to any of IP addresses x.y.z.1 - 3.

Reach them from where ? SNAT is handled through FORWARD. Local trafic is
handled though INPUT and OUTPUT. Maybe there's something to look at
there.

> Though, I can go to any host in the world, but cannot go directly to
> eth0.

Can you be a little more explicit in your setup and what you exactly
want to do ?
     
--
Cédric Blancher  <blancher@xxxxxxxxxxxxxxxxxx>
Consultant en sécurité des systèmes et réseaux - Cartel Sécurité
Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux