IFCCMD="/sbin/ifconfig" IPTCMD="/sbin/iptables/" PUBIF="eth2" DMZIF="eth1" PUBMSK="255.255.255.128"
$IFCCMD $PUBIF:1 111.111.111.1 netmask $PUBMSK
$IPTCMD -A PREROUTING -t nat -p tcp -d 111.111.111.1 --dport 80 -j DNAT --to-destination 192.168.11.1:80
$IPTCMD -A FORWARD -i $PUBIF -o $DMZIF -p tcp --dport 80 -d 192.168.11.1 -j ACCEPT
$IPTCMD -A FORWARD -i $DMZIF -o $PUBIF -p tcp --sport 80 -s 192.168.11.1 -j ACCEPT
$IFCCMD $PUBIF:1 111.111.111.1 netmask $PUBMSK
$IPTCMD -A PREROUTING -t nat -p tcp -d 111.111.111.1 --dport 443 -j DNAT --to-destination 192.168.11.1:443
$IPTCMD -A FORWARD -i $PUBIF -o $DMZIF -p tcp --dport 443 -d 192.168.11.1 -j ACCEPT
$IPTCMD -A FORWARD -i $DMZIF -o $PUBIF -p tcp --sport 443 -s 192.168.11.1 -j ACCEPT
$IFCCMD $PUBIF:1 111.111.111.1 netmask $PUBMSK
$IPTCMD -A PREROUTING -t nat -p tcp -d 111.111.111.1 --dport 21 -j DNAT --to-destination 192.168.11.1:21
$IPTCMD -A FORWARD -i $PUBIF -o $DMZIF -p tcp --dport 21 -d 192.168.11.1 -j ACCEPT
$IPTCMD -A FORWARD -i $DMZIF -o $PUBIF -p tcp --sport 21 -s 192.168.11.1 -j ACCEPT
$IPTCMD -t nat -A POSTROUTING -s 192.168.11.1 -o $PUBIF -j SNAT --to 111.111.111.1
I would have to do this for each website, so basically I would be doing that 30 more times in the script, with only ip changes. I have tested it (not with 30 ip's, only 3) but it seems to work great. Is there a better way to do what I need? Is this what is called 1-to-1 nat? The system that we are using as the firewall is a 1GHz Celeron w/ 256MB RAM. The OS is basically a Debian base install w/ 2.4.27-custom kernel. The public and DMZ interfaces have GBE cards installed, so this system shouldn't have any speed problems with this configuration. Is that a fair assumption? Thanks in advance for any suggestions.
Regards, Thomas
