Hi again Oskar, I will need to look into NAT. I am just keen to understand how my Linksys 54G WRT box (2 of them) uses iptables, in the sense that it automatically blocks all incoming but allows outgoing with incoming based on that outgoing traffic (bit of a mouth full!). So I began thinking how would the firewalls react if I did indeed want to permit incoming to a ssh server or some other machine. I did not want to do this via the GUI in order to force myself to understand what is really happing from an iptables rules perspective. I guess the question I am really asking is, after the external client IP address passes both firewalls is the source IP the original IP address of the external client or the IP address of the tier2Firewall (eth3)? I just downloaded zenmap and nmap. I fired it up and hit a webpage. It appears that the external web server IP address does seem to be handed or forwarded on through the 2 firewalls unmodified to my laptop. The source IP does not seem to have changed to the IP address of each router as the packet moves along the firewall path. Its just something I wanted to confirm. There is no point in trying to define rules based on what I think is happening and what should be happening. so as before the rules to allow internal access to a ssh server from an external source should be defined as: iptables -A FORWARD -i eth0 -s anyIP -d sshServIP --dport 22 -j ACCEPT iptables -A FORWARD -i eth2 -s anyIP -d sshServIP --dport 22 -j ACCEPT assuming NAT and port forwarding have also been set up correctly. Correct? [Perhaps I am thinking of proxies where the IP address are definitely modified to handle the TCP connections. And this has led to my confusion] On Sun, Nov 8, 2009 at 2:29 PM, Oskar Berggren <oskar.berggren@xxxxxxxxx> wrote: > For NAT to happen you need to create SNAT and DNAT rules in mangle > table, chain PREROUTING and POSTROUTING. No NAT happens other than > what you have specified. In most cases, you should not need to > translate the source address of traffic coming from a public > ip-address available on the internet. For your scenario you seem to > need DNAT rules to translate the target address of traffic destined to > your SSH-server. > > (You would also need SNAT rules to translate the source address of > packets coming _from_ you own network, if you want to reach other > stations on the Internet.) > > /Oskar > > > 2009/11/8 paddy joesoap <paddyjoesoap@xxxxxxxxx>: >> Dear Experts, >> >> Suppose I have two firewalls in the network and suppose the network >> consisted of the following: >> >> Internet -- gwFirewall -- tier2firewall -- sshServer >> >> gwFirewall has two interfaces: >> eth0 = Internet facing (IP address 1.2.3.4) >> eth1 = Internal facing (IP address 192.168.1.1) >> >> tier2firewall has two interfaces: >> eth2 = gwFirewall facing (IP address 192.168.1.4) >> eth3 = deep internal facing (IP address 192.168.2.1) >> >> sshServer = IP address 192.168.2.2, Port 22 >> >> Now suppose the two firewalls where a typical SOHO box like the >> linksys 54G WRT runnning dd-wrt, so they handle my Netfilter firewalls >> rules and NAT etc. >> Or the Firewalls could be any PC's converted to a netfilter firewall >> (filter, nat and mangle enabled). >> >> My question is, when writing rules to permit Internet access to a >> system deep in the network, do you keep the original source IP address >> of the internet client in your firewall rules for each firewall in the >> path? >> >> That is, if a internet client (source IP address 94.108.94.75) needs >> to access a ssh server (destination IP address 192.168.2.2) across two >> firewalls how should the inbound rules look? >> >> >> Scenario 1) >> >> On the gwFirewall you permit the internet client access to >> tier2Firewall on the IP address of eth2 and from there, tier2Firewall >> will permit that same client IP to the ssh sever. >> >> For example: >> >> iptables -A FORWARD -i eth0 -s 94.108.94.75 -d 192.168.1.4 --dport 22 -j ACCEPT >> iptables -A FORWARD -i eth2 -s 94.108.94.75 -d 192.168.2.2 --dport 22 -j ACCEPT >> >> Scenario 2) >> >> On the gwFirewall you permit the internet client access to >> tier2Firewall on the IP address of eth2 and from there, tier2Firewall >> will permit the *gwFirewall* internal IP to the ssh sever. Because of >> NAT etc I wonder will the source IP addresses etc be changed. >> >> For example >> >> iptables -A FORWARD -i eth0 -s 94.108.94.75 -d 192.168.1.4 --dport 22 -j ACCEPT >> iptables -A FORWARD -i eth2 -s 192.168.1.1 -d 192.168.2.2 --dport 22 -j ACCEPT >> >> I presume its Scenario 1 above is correct and the original source IP >> address of requesting Internet client is carried through the chain of >> firewalls towards the destination. >> -- >> To unsubscribe from this list: send the line "unsubscribe netfilter" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html