Hello, we'd like a good way of allowing trusted
ip's from the internet to use some services that we have in our
intranet. We need to simulate that certain ip's of the inet seem to be ip's
assigned by our ISP to access to some services that only are allowed the users
conected to our ISP
The first idea was to use a gateway with some
iptables rules:
iptables -t nat -A POSTROUTING -s "trusted_ip" -o eth0 -j SNAT --to 1.2.3.4
for change the incoming ip's
and for returning:
iptables -t nat -A PREROUTING -s 1.2.3.4 -i eth0 -j DNAT --to
"trusted_ip"
So if we ping the "trusted_ip" from the intranet we
get answer and if we ping the 1.2.3.4 from the trusted ip we get answer
too.
Note that the intranet is not an actual intranet
becuse it has well-known-to-the-internet ip's -we've got a
little ISP-
But this limit us because the "trusted_ip" must
have as default gateway the box that has the iptables rules. As the trusted ips
are dynamic addresses from inet wich are trusted just for some time and then
removed from the iptables rules, so it is not possible to make everyone to
change its default gateway just for access to our intranet for a
while.
With the system I mentioned before we got some
troubles with ftp's, as I said we could ping from each side of the
gateway/firewall to each other, but when I connected to a ftp server of my
intranet with a client from outside and the ip converted with iptables, we could
login but not make data transfers, the ftp after login opens the port 20 with
the client to establish the data connection, I think it shouldnt have any
problem but the client complains about bind or network reaching or
something I cant remenber -sorry :) -
May be there is another way of doing it, but we
NEED to change the source ip's because in the intranet we have lots of services
that validate just for the IP's of the intranet, and it is very difficult to
make dynamic ips validations.