-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We found all docs realting to 1:1 NAT to be lacking, most are geared for a
org to try and connect with 2 other orgs that have grabbed the same
private address space thus renumbering one or both on the fly to allow
mutual access to resources of the org sharing tose resources <which at
first glance here seems to resemble your needs, and those docs might have
some value for you> None did we find that covered a single sites need of
1:1 nat for purposes such as we needed here. so we filtered those docs
and many others and grabbed this tidbit of info and fused it with that
tidbit, and got some majik we missed in our POST/PRE routing chains from
Jason Opersainion <sorry if I mangled ya sir>, the majik under the hood
and out of the iptable realm were the ip addr add comands to add the
external, pulic address's being NAT to the internal provate side onto the
external interface. Once that was up and set, we had the functionality we
lacked in other regards, with caveates, and we have not taken the time to
see if those caveates can be remidied in other ways, though we will look
into this again in short order as work and time permit;
caveats;
FORWARD rule chains require ACCEPT in the default policy, turning off
ACCPET breaks the bank, youi have yers set to DROP, might be part of the
problem you need to hash on presuming you have the ip addr add majik
already setup on the external interface.
to pass from public space to private space outside -> in requires one
first connect and have an account on the FW. this is likely due to our
use or, for the most lart old rules iin place prior to the 1:1 NAT setup.
Might take some tinkering with additional POST/PRE routing rules and
DNAT/SNAT to allow those few we do to pass through to the systems they
need access to. As of now, it works in our favor to drmatically limit who
can go where but requires that we place hight levels of trust to folks as
they are accessing the FW directly first.
Hope this helps, will follow along here as well as I might become more
enlightened as well.
Thanks,
Ron DuFresne
On Wed, 15 Jun 2005, González Sandoval Luis Rolando wrote:
I'm looking information about one to one NAT and his configuration whit IPTABLES v1.2.7a.
My requirements are:
1. Map IP address for the segment 10.129.41.0/24 for an IP address of 192.168.20.0/24
My firewall machine has three NIC:
1. NIC eth0 for the segment 10.129.41.0/24
2. NIC eth1 for the segment 192.168.20/24
3. NIC eth2 for the segment 10.149.50.0/22
Please if someone can help me, I appreciate that... I'm reading Firewall Linux book, chapter seven, I research in the web, but I failed in my script.
If you can guide me about my requirement, thanks
I'm using the follow iptables script:
#!/bin/bash
IPTABLES=/usr/sbin/iptables
echo "Cargando Modulos Espere..."
/sbin/depmod -a
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
echo "Modulos ARRIBA"
echo "IP Forward habilitado"
echo "1" > /proc/sys/net/ipv4/ip_forward
#$IPTABLES -P INPUT DROP
#Politica por defecto del INPUT ---> DROP
#$IPTABLES -P FORWARD DROP
#Politica por defecto del VALID_IO ---> DROP
#$IPTABLES -P OUTPUT DROP
#Politica por defecto del OUTPUT ---> DROP
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES --flush
$IPTABLES --flush
$IPTABLES -t nat --flush
$IPTABLES --delete-chain
echo "Politica por defecto arriba"
$IPTABLES -A INPUT -i lo -j ACCEPT
#A la interfaz de loopback se permite todo
$IPTABLES -A OUTPUT -o lo -j ACCEPT
#A la interfaz de loopback se permite todo
#LISTA DE DIRECCIONES AUTORIZADAS PARA ENTRAR A LA RED PROTEGIDA
$IPTABLES -A FORWARD -s 10.129.41.123 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -s 10.129.41.123 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 10.129.48.43 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -s 10.129.48.43 -m state --state NEW -j ACCEPT
#NAT 1:1
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.20.183/32 -j SNAT --to 10.129.41.242
$IPTABLES -t nat -A PREROUTING -i eth1 -d 10.129.41.242/32 -j DNAT --to 192.168.20.183
# Allow forwarding to each of the servers configured for 1:1 NAT
# (For connections originating from the Internet. Notice how you
# use the real IP addresses here)
$IPTABLES -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.20.183 \
-m state --state NEW -j ACCEPT
# Allow forwarding for all New and Established SNAT connections
# originating on the home network AND already established
# DNAT connections
$IPTABLES -A FORWARD -t filter -o eth0 -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow forwarding for all 1:1 NAT connections originating on
# the Internet that have already passed through the NEW forwarding
# statements above
$IPTABLES -A FORWARD -t filter -i eth0 -m state \
--state ESTABLISHED,RELATED -j ACCEPT
Ing. Luis González Sandoval
Ingeniería de Sistemas - Cx UEN GRM
Tel. 2838030
LGonzalezSa@xxxxxxxxx
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCsGE8st+vzJSwZikRAo3HAJ9/6k4PIyod6TLxZxL/jKnZhDOAVwCg1lg+
Eg/L6Pg/DRNs5dJOLAA7Oxc=
=yvfH
-----END PGP SIGNATURE-----