(sorry. should've replied to all) On 2011-02-20, Pandu Poluan <pandu@xxxxxxxxxxx> wrote: > (sorry for top posting; Gmail mobile client can only top-post) > > I've been doing what (I think) you're planning to do, i.e., mapping an > external IP:port into DMZ (which uses private addressing) > > IMO, to do this, you really don't need more than 2 rules: > > -t nat -A PREROUTING -i $WAN_IFACE -d $WAN_IP -p tcp --dport 80 -j > DNAT --to $WEBSERVER > > -A FORWARD -d $WEBSERVER -j ACCEPT > > With the above pair of rules, only the destination of incoming packets > get changed; the webserver would still see the original source > address. As long as the Linux firewall sees *both* incoming and > outgoing traffic from the webserver, netfilter will automatically > perform the inverse NAT. > > Of course you would want some -t raw -A PREROUTING rules to prevent > spoofing (esp. smurf attacks). But that's not strictly necessary for > NAT-ing. > > CMIIW. > > Rgds, > > > On 2011-02-20, Feasey, Nicholas <nfeasey@xxxxxxxxxxxxxxxxxxx> wrote: >> Thank you for your response and explanation of the difference between >> MASQUERADE and SNAT. >> >> I really do not want to use MASQUERADE for exactly the reason that you >> state. >> >> My explanation is confusing because I was using the same ethernet port >> just >> for testing. >> >> In the real world I'm trying to achieve a box that acts as a firewall and >> depending on the service requested routes to an internal machine lying on >> a >> DMZ. >> >> So, I'd be using multiple ethernet ports as you would expect. >> >> To be clear (I hope) users would enter http://somesite.somewhere.com and >> it >> would resolve to an IP address on the firewall box. >> They hit the outside interface (port 80 or 443) and it would forward this >> to >> a machine on the DMZ. That's all I'm trying to achieve here. >> >> Is this just achieved via a series of FORWARD commands like any other? >> >> >> On 2011-02-19, at 6:10 PM, Pascal Hambourg wrote: >> >>> Hello, >>> >>> Feasey, Nicholas a Ãcrit : >>>> I'm setting up a box that will be the only device on the Internet and >>>> will forward requested services to other servers sitting on a DMZ. >>>> >>>> As a test I started with redirecting a web server. >>>> >>>> To test my arrangement I first merely set up a simple masquerade (just >>>> on my internal network) in my iptables like so: >>>> >>>> *nat >>>> :PREROUTING ACCEPT [0:0] >>>> :POSTROUTING ACCEPT [0:0] >>>> -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.40.15 >>>> -A POSTROUTING -j MASQUERADE >>> >>> Be aware that using MASQUERADE on all interfaces may not do what you >>> want. Usually, it is used only on the public internet side. >>> >>>> *filter >>>> ...normal filtering lines follow. >>>> >>>> This POSTROUTING entry works as well: >>>> >>>> -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.40.15 >>>> >>>> I think this is because the above line is doing the same as the >>>> shortcut >>>> MASQUERADE. >>> >>> Not exactly. This rule replaces the source address of any connection >>> going out eth0 with 192.168.40.15 whereas the above MASQUERADE rule >>> replaces the source address of any connection going out any interface >>> with the address of the interface. >>> >>> By the way, it is weird that you use the address of a remote host (the >>> server in the DMZ). >>> >>>> When I check the httpd access_log it shows that the connection came >>>> from >>>> 192.168.40.15 as expected. It works. >>> >>> I'm puzzled. A connection cannot match both the DNAT and SNAT rules as >>> they have the same input and output interface eth0. Even if it did (the >>> connection goes out the interface it came in), this connection would end >>> up having the same address as source and destination 192.168.40.15. >>> -- >>> To unsubscribe from this list: send the line "unsubscribe netfilter" in >>> the body of a message to majordomo@xxxxxxxxxxxxxxx >>> More majordomo info at http://vger.kernel.org/majordomo-info.html >>> >>> >> >> > > > -- > -- > Pandu E Poluan - IT Optimizer > My website: http://pandu.poluan.info/ > -- -- Pandu E Poluan - IT Optimizer My website: http://pandu.poluan.info/ -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
