RE: [suse-security] DNAT / routing problem ...
What am I doing wrong?
I'm not sure. It's not the arp or DNAT, IMHO, since I just recreated your scenario and it works fine.
However, a while back you said that you were also SNATing in the POSTROUTING chain from Internet to DMZ. I didn't do that, I'm just doing plain old routing. Can you see the packets on the DMZ subnet?
Nope, you were right back then too, SNAT was not needed. tcpdump -n -i eth1 src or dst 192.168.1.3 doesn't give me any output other than the tcpdump header.
OK, so just for the record, here's what I did: Router: ifconfig eth0 192.168.1.42 netmask 255.255.255.0 broadcast 192.168.1.255 up ifconfig eth0:0 192.168.1.40 netmask 255.255.255.0 broadcast 192.168.1.255 up ifconfig eth1 192.168.72.254 netmask 255.255.255.0 broadcast 192.168.72.255 up iptables -t nat -A PREROUTING -p tcp -d 192.168.1.40 --dport 80 -j LOG iptables -t nat -A PREROUTING -p tcp -d 192.168.1.40 --dport 80 -j DNAT \ --to 192.168.72.4:80 'Hidden' Server: ifconfig eth0 192.168.72.4 netmask 255.255.255.0 broadcast 192.168.72.255 up route add default 192.168.72.254 (There may be a 'gw' missing in that route statement, I'm too lazy to consult the man page right now). Then, I could access the SuSE default web server page on 192.168.10.40 or rather 192.168.72.4. HTH Tobias
Hi again On Mon 10 Dec 01 15:37, Reckhard, Tobias wrote:
What am I doing wrong? OK, so just for the record, here's what I did:
Router: ifconfig eth0 192.168.1.42 netmask 255.255.255.0 broadcast 192.168.1.255 up ifconfig eth0:0 192.168.1.40 netmask 255.255.255.0 broadcast 192.168.1.255 up ifconfig eth1 192.168.72.254 netmask 255.255.255.0 broadcast 192.168.72.255 up iptables -t nat -A PREROUTING -p tcp -d 192.168.1.40 --dport 80 -j LOG iptables -t nat -A PREROUTING -p tcp -d 192.168.1.40 --dport 80 -j DNAT \ --to 192.168.72.4:80
'Hidden' Server: ifconfig eth0 192.168.72.4 netmask 255.255.255.0 broadcast 192.168.72.255 up route add default 192.168.72.254
(There may be a 'gw' missing in that route statement, I'm too lazy to consult the man page right now).
Then, I could access the SuSE default web server page on 192.168.10.40 or rather 192.168.72.4.
Do you think it could be because I have to different class C ip ranges on my interfaces (i.e. 10.0.0.0/24 and 192.168.1.0/24)? From the tcpdump outputs, it seems like a new packet is being generated on the external interface and then not routed to the DMZ interface.
HTH Tobias Ray
participants (2)
-
Ray Leach
-
Reckhard, Tobias