On Mon, 2003-09-15 at 16:00, Cedric Blancher wrote: > Le lun 15/09/2003 à 15:46, Ray Leach a écrit : > > My firewall machine currently has 5 NICs, each with their own ip (one > > has a public ip - eth0) > > eth0 has the public ip. It also has 10 alias ips. > > eth1 has a private ip of 192.168.1.1. > > eth1 network is my dmz with all the web servers from 192.168.1.165 to > > 192.168.1.173. > > If I want to DNAT incoming traffic destined to on of the aliases bound > > to interface eth0 to a server in the dmz - eth1 192.168.1.165 (for > > example), then I need : > > - a PREROUTING DNAT rule > > - a FORWAORD rule for each direction (eth0 -> eth1 and eth1 -> eth0) > > - and an INPUT rule for eth0 alias ip. > > Does that make sense? > > Not to me. Supposing alias i set up (using iproute or ifconfig) I would > do this (and I think you did this) : > > iptables -t nat -A PREROUTING -d $ALIAS -i eth0 -j DNAT \ > --to 192.168.1.165 > iptables -A FORWARD -d 192.168.1.165 -i eth0 -o eth1 -j ACCEPT > iptables -A FORWARD -s 192.168.1.165 -i eth1 -o eth0 -j ACCEPT > > And that's all to set a DNAT for incoming packets. > > > If I remove the INPUT rule, my DNAT does not work, the packets get sent > > to the OUTPUT chain ... > > What is the INPUT rule ? Once your packet gets DNATed in PREROUTING, it > is not sent to NF_IP_LOCAL_IN, but to NF_IP_FORWARD. Thus, it does not > cross filter table INPUT chain. If packets go through INPUT chain, that > means they're still destined to the alias IP, so that the DNAT rule did > not match them. > And I do not see how packets could go to OUTPUT chain as they're > supposed to get routed, not locally generated... The only case I see is > REDIRECT target use on a local proxy, so packets go through INPUT, then > proxy reply sent through OUTPUT chain. Now that's a possibility! I didn't even think of that. I do have a transparent squid proxy running on that machine. I suppose I was watching the traffic going through the proxy (probably because I was testing from a local machine). Thanks > > I'm a bit lost on this one. -- -- Raymond Leach <raymondl@xxxxxxxxxxxxxxxxxxxxxx> Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 --
Attachment:
signature.asc
Description: This is a digitally signed message part
