I have several virtual servers in a private vlan (192.168.0.0/24). I would prefer that they do not communicate directly, but rather be forced to go through the firewall. To accomplish this, I have a rule in my INPUT chain to drop all traffic from 192.168.0.0/24. This is the only rule on the servers, and they have default ACCEPT policies for all chains.
However, I do want one server on the vlan to contact another over ssh. But I want this traffic to flow through the firewall, so I can keep all my rules in one place (the firewall).
So, I want server A (192.168.0.111) to contact server B (1.1.1.2) over ssh.
It seems like this would require both SNAT and DNAT rules, but I’m not sure if this is possible.
If I tried to connect to server B on 1.1.1.2:22 (firewall DNAT translates to 192.168.0.2) from server A (192.168.0.111), server B would reply to 192.168.0.111, whose traffic is dropped. So with only a DNAT rule, I could get traffic external to the firewall to connect to server B, but not traffic behind the firewall.
I’ve tried adding SNAT rules to change 192.168.0.111 -> 1.1.1.111 when it tries to connect to 192.168.0.2:22, but it doesn’t seem to work.
Is what I’m attempting possible?
John Ratliff
Systems Engineer
Office: (812) 935-2491 | Mobile: (812) 340-7421
john.ratliff@xxxxxxxxxxxxxx | smithville.com
��.n��������+%�������w��{.n����z���)���jg���������ݢj�����G��������j:+v���w�m������w�������h�����٥
