Re: Newbie question about nat

"Alexis" <alexis@xxxxxxxxxxx> · Sat, 1 May 2004 09:59:20 -0300

http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-9.html

just think about it, you need the l2 match too 
:)

if you dont teach arp that you have those IP, so 
the router can know that a.b.c.g is in aa.bb.cc.dd.ee it wont know where to send 
the packet.

  ----- Original Message ----- 
  From: 
  Oriol 
  Magrané 
  To: netfilter@xxxxxxxxxxxxxxxxxxx 

  Sent: Friday, April 30, 2004 3:20 
PM
  Subject: Newbie question about nat

      Hello!
      I'm trying to set up a 
  firewall with two ethernets to be installed between the internet and a pool of 
  servers.
      The setup is as 
  follows:

      In the firewall:
          -eth0 with 
  public ip 'a.b.c.d', connected to the internet
          -eth1 with 
  private ip 192.168.1.1, connected to a private class C subnet

      In the internal server 1 
  (web server):
          -eth0 with 
  private ip 192.168.1.100, connected to the subnet above.

      I have some public ips 
  available (a.b.c.e, a.b.c.f, a.b.c.g,...) so now I want to map the external ip 
  'a.b.c.e' with the internal ip '192.168.1.100' .

      So in the firewall I 
  do:

          echo 1 > 
  /proc/sys/net/ipv4/ip_forward
        iptables -t nat -A 
  PREROUTING -d a.b.c.e -j DNAT --to 192.168.1.100

  iptables -t nat -A POSTROUTING -s 192.168.1.100 -j SNAT --to 
  a.b.c.e

      This should 
  effectively

          -change 
  destination from a.b.c.e to 192.168.1.100 for packets entering the 
  firewall
          -and change 
  source from 192.168.1.100 to a.b.c.e for packets leaving the 
  firewall

      Now, if I ping the public 
  address of the internal server 1 (a.b.c.e) from the internet, each packet 
  should traverse the firewall like this:

  1. @internet: source=w.x.y.z, destination=a.b.c.e
          2. 
  @firewall-prerouting: source=w.x.y.z, destination=192.168.1.100 (destination 
  changed by nat rule 1)
          3. 
  @firewall-postrouting: source=w.x.y.z, destination=192.168.1.100 (no 
  changes)
          4. 
  @internal_server_1: source=w.x.y.z, destination=192.168.1.100 (so the packet 
  reaches the target)

      and then, when the internal 
  server bounces the ping:

          1. 
  @internal_server_1: source=192.168.1.100, destination=w.x.y.z
          2. 
  @firewall-prerouting: source=192.168.1.100, destination=w.x.y.z (no 
  changes)
          3. 
  @firewall-postrouting: source=a.b.c.e, destination=w.x.y.z (source changed by 
  nat rule 2)
          4. 
  @internet: source=a.b.c.e, destination=w.x.y.z (so the packet reaches the 
  target)

      But this won't work, because 
  the firewall doesn't know it must process 
  packets with destination ips other than its own ip (a.b.c.e, a.b.c.f, 
  etc...), and my ISP doesn't know which machine must deliver these packets 
  to.
      So the question is: how can I make the firewall to process the packets with 
  destinations a.b.c.e, a.b.c.f, etc.? 
      The only solution I've found 
  is to define an ip alias in the firewall itself so that eth0:1 will 
  respond to the external ip a.b.c.e
      Thus when the router of my ISP 
  asks "who has ip a.b.c.e?", the firewall will answer "me" and it will process 
  the packet and deliver it to the internal server 1.

      But this solution means 
  defining an alias for every external ip I want to firewall. So if I have eight 
  servers firewalled I will need eight ip alias in the firewall.

      Is this the right way to do 
  it? Or there is a cleaner/easier/better method to achieve the 
  same?

      Thank you very much in 
  advance,

      Oriol
      Barcelona