Re: DMZ issue - redirect works as expected but behaviour not desired

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thank you for your response and explanation of the difference between MASQUERADE and SNAT.

I really do not want to use MASQUERADE for exactly the reason that you state.

My explanation is confusing because I was using the same ethernet port just for testing.

In the real world I'm trying to achieve a box that acts as a firewall and depending on the service requested routes to an internal machine lying on a DMZ.

So,  I'd be using multiple ethernet ports as you would expect.

To be clear (I hope) users would enter http://somesite.somewhere.com and it would resolve to an IP address on the firewall box.
They hit the outside interface (port 80 or 443) and it would forward this to a machine on the DMZ.  That's all I'm trying to achieve here.

Is this just achieved via a series of FORWARD commands like any other?


On 2011-02-19, at 6:10 PM, Pascal Hambourg wrote:

> Hello,
> 
> Feasey, Nicholas a écrit :
>> I'm setting up a box that will be the only device on the Internet and
>> will forward requested services to other servers sitting on a DMZ.
>> 
>> As a test I started with redirecting a web server.
>> 
>> To test my arrangement I first merely set up a simple masquerade (just
>> on my internal network) in my iptables like so:
>> 
>> *nat
>> :PREROUTING ACCEPT [0:0]
>> :POSTROUTING ACCEPT [0:0]
>> -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.40.15
>> -A POSTROUTING -j MASQUERADE
> 
> Be aware that using MASQUERADE on all interfaces may not do what you
> want. Usually, it is used only on the public internet side.
> 
>> *filter
>> ...normal filtering lines follow.
>> 
>> This POSTROUTING entry works as well:
>> 
>> -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.40.15
>> 
>> I think this is because the above line is doing the same as the shortcut
>> MASQUERADE.
> 
> Not exactly. This rule replaces the source address of any connection
> going out eth0 with 192.168.40.15 whereas the above MASQUERADE rule
> replaces the source address of any connection going out any interface
> with the address of the interface.
> 
> By the way, it is weird that you use the address of a remote host (the
> server in the DMZ).
> 
>> When I check the httpd access_log it shows that the connection came from
>> 192.168.40.15 as expected.  It works.
> 
> I'm puzzled. A connection cannot match both the DNAT and SNAT rules as
> they have the same input and output interface eth0. Even if it did (the
> connection goes out the interface it came in), this connection would end
> up having the same address as source and destination 192.168.40.15.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 

Attachment: smime.p7s
Description: S/MIME cryptographic signature


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux