Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
RE: [suse-security] DNAT / routing problem ...
  • From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
  • Date: Mon, 10 Dec 2001 14:37:40 +0100
  • Message-id: <96C102324EF9D411A49500306E06C8D1A56C99@xxxxxxxxxxxxxxxxx>
> > > What am I doing wrong?
> >
> > I'm not sure. It's not the arp or DNAT, IMHO, since I just
> recreated your
> > scenario and it works fine.
> >
> > However, a while back you said that you were also SNATing in the
> > POSTROUTING chain from Internet to DMZ. I didn't do that,
> I'm just doing
> > plain old routing. Can you see the packets on the DMZ subnet?
> >
> Nope, you were right back then too, SNAT was not needed.
> tcpdump -n -i eth1 src or dst 192.168.1.3 doesn't give me any
> output other
> than the tcpdump header.

OK, so just for the record, here's what I did:

Router:
ifconfig eth0 192.168.1.42 netmask 255.255.255.0 broadcast 192.168.1.255 up
ifconfig eth0:0 192.168.1.40 netmask 255.255.255.0 broadcast 192.168.1.255
up
ifconfig eth1 192.168.72.254 netmask 255.255.255.0 broadcast 192.168.72.255
up
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.40 --dport 80 -j LOG
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.40 --dport 80 -j DNAT \
--to 192.168.72.4:80

'Hidden' Server:
ifconfig eth0 192.168.72.4 netmask 255.255.255.0 broadcast 192.168.72.255
up
route add default 192.168.72.254

(There may be a 'gw' missing in that route statement, I'm too lazy to
consult the man page right now).

Then, I could access the SuSE default web server page on 192.168.10.40 or
rather 192.168.72.4.

HTH
Tobias

< Previous Next >
Follow Ups