Coutts, Ashe (Testing Account) wrote:
It is working almost as I expected except for the following. The DNAT
connections come into the system fine but are seen as originating from the
eth0 interface rather than their eth0:x interface. So, when attaching to a linux
cpu with ssh I am needing to place the ip# for the eth0 interface in the
hosts.allow file rather than the much more restrictive eth0:x ip#. Can it be set
up so the connection is between the external eth0:x ip# and its linked internal
ip#?
If all you are doing is DNATing, then the source address should be
the real external source address, not eth0 *or* eth0:x.
## Setup NAT from entire WAN to the outside world
/sbin/iptables --table nat --append POSTROUTING --source 0.0.0.0/0 \
--jump SNAT --to 204.48.178.2
But here we see that you are SNATing everything. This is probably
not what you want. I expect you only want to SNAT outgoing traffic:
## Setup NAT from entire WAN to the outside world
/sbin/iptables --table nat --append POSTROUTING --out-interface eth0 \
--jump SNAT --to 204.48.178.2
With this rule, you should now place the real external hosts in
your hosts.allow, rather than any IP address that belongs to the
firewall.
--
Philip Craig - philipc@xxxxxxxxxxxx - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances
