Hi, I've read netfilter howtos and mailing list archive but could not get around with it. The config is as follows all up and working. eth0: 1.2.3.4 netmask 255.255.255.192 (internet) eth1: 10.0.0.1 netmask 255.255.255.0 (so called dmz) eth2: 192.168.1.1 netmask 255.255.255.0 (internal) default gateway 1.2.3.3 (router. Up and working) Web Server 10.0.0.50 Another Web Server 10.0.0.60 Mail Server 10.0.0.70 What I would like to do is 1. to have internal PC's access internet. 2. To be able to nat 1.2.3.5 to 10.0.0.50, 1.2.3.6 to 10.0.0.60 and 1.2.3.6 to 10.0.0.70 Here are the iptables rules. # access to internet from internal (tested, working ok) iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t nat -A FORWARD -i eth2 -j ACCEPT iptables -t nat -A FORWARD -m state --state ESTABLIESHED, RELATED -j ACCEPT # NAT ?? iptables -t nat -A PREROUTING -d 1.2.3.5 -p tcp --dport 80 -j DNAT --to 10.0.0.50 iptables -t nat -A PREROUTING -d 1.2.3.6 -p tcp --dport 80 -j DNAT --to 10.0.0.60 iptables -t nat -A PREROUTING -d 1.2.3.7 -p tcp --dport 110 -j DNAT --to 10.0.0.70 iptables -t nat -A PREROUTING -d 1.2.3.7 -p tcp --dport 25 -j DNAT --to 10.0.0.70 Can anybody help me on logging & degugging, and why this is not working ?? Am I missing anything in the routing part??? Regards, TIA Oyku
hi oyku, first install the three cards. configure ip address and your subnets. Don't start or configure firewall!!!! First try to reach all your interfaces with ping (from dmz to firewall, dmz to internal, internet to dmz....) If okay. Start configuring your firewall :-)) best Regards Andy
Hi,
I can reach internal to dmz and dmz to internet and I can reach to fw
external interface from internet and vice versa, but of course I cannot
reach dmz from internet (it means expecting to reach 10.0.0.10 from
internet)
The rouing table looks like
1.2.3.192 0.0.0.0 255.255.255.192 U eth0 #
ext interface with real IP (eth0:1.2.3.194)
10.0.0.0 0.0.0.0 255.255.255.0 U eth1 #
dmz (eth1:10.0.0.1)
192.168.1.0 0.0.0.0 255.255.255.0 U eth2 #
internal LAN (eth2:192.168.1.1)
0.0.0.0 1.2.3.193 0.0.0.0 UG eth0
# default GW (router)
I have a feeling that I'm missing smthg here.
Regards,
Oyku
----- Original Message -----
From: Andreas Müller
hi oyku,
first install the three cards. configure ip address and your subnets. Don't start or configure firewall!!!! First try to reach all your interfaces with ping (from dmz to firewall, dmz to internal, internet to dmz....)
If okay. Start configuring your firewall :-)) best Regards Andy
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi,
I've read netfilter howtos and mailing list archive but could not get around with it.
The config is as follows all up and working.
eth0: 1.2.3.4 netmask 255.255.255.192 (internet) eth1: 10.0.0.1 netmask 255.255.255.0 (so called dmz) eth2: 192.168.1.1 netmask 255.255.255.0 (internal)
default gateway 1.2.3.3 (router. Up and working)
Web Server 10.0.0.50 Another Web Server 10.0.0.60 Mail Server 10.0.0.70
What I would like to do is 1. to have internal PC's access internet. 2. To be able to nat 1.2.3.5 to 10.0.0.50, 1.2.3.6 to 10.0.0.60 and 1.2.3.6 to 10.0.0.70
Here are the iptables rules. # access to internet from internal (tested, working ok) iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t nat -A FORWARD -i eth2 -j ACCEPT iptables -t nat -A FORWARD -m state --state ESTABLIESHED, RELATED -j ACCEPT
# NAT ?? iptables -t nat -A PREROUTING -d 1.2.3.5 -p tcp --dport 80 -j DNAT --to 10.0.0.50 iptables -t nat -A PREROUTING -d 1.2.3.6 -p tcp --dport 80 -j DNAT --to 10.0.0.60 iptables -t nat -A PREROUTING -d 1.2.3.7 -p tcp --dport 110 -j DNAT --to 10.0.0.70 iptables -t nat -A PREROUTING -d 1.2.3.7 -p tcp --dport 25 -j DNAT --to 10.0.0.70
Can anybody help me on logging & degugging, and why this is not working ?? Am I missing anything in the routing part???
Regards, TIA Oyku
Hi Oyku! First of all I suppose that you have the 1.2.3.[5-6-7] as virtual ip's in the host, I mean on interfaces like eth:0 eth0:1 eth0:2... after this you should be able to ping the these ip's from outside and get response or to traceroute them and reach your router just before them -and of course after it to them. If these ip's are not visible from the inet it won't never work. Once this is working your rules should work, if they do not work try changing PREROUTING by POSTROUTING and DNAT by SNAT. God luck!! Regards from Barcelona :-) Ramon Acedo Rodriguez.
participants (3)
-
Andreas M�ller
-
Oyku Gencay
-
Ramon Acedo