-----BEGIN PGP SIGNED MESSAGE----- Hi Jan!
I need every traffic (all ports/protocols) from Internet to our public address <PUB1> to forward/masq to private address <PRIV1> and the same thing with the second -- <PUB2> to forward/masq to <PRIV2>.
OK. That sounds easy, but I don't think it is possible using the
options in SuSEfirewall2. My understanding of how iptables work is
still limited, and I'm unable to test anything here (being stuck with
only one public IP).
Something along the following (completely untested!) *might* work,
either in fw_custom_before_masq() or fw_custom_before_denyall():
========== snip
for DEV in $FW_DEV_EXT; do
$IPTABLES -A PREROUTING -j DNAT -t nat -s 0/0 -d $PUB1 --to-destination $PRIV1 -i $DEV
$IPTABLES -A PREROUTING -j DNAT -t nat -s 0/0 -d $PUB2 --to-destination $PRIV2 -i $DEV
for CHAIN in forward_ext forward_dmz forward_int; do
$LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT-DNAT " -s 0/0 -d $PRIV1 -i $DEV
$IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s 0/0 -d $PRIV1 -i $DEV
$LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT-DNAT " -s 0/0 -d $PRIV2 -i $DEV
$IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s 0/0 -d $PRIV2 -i $DEV
done
done
# For outbound connections from $PRIV1 and $PRIV2 only (not sure)
for DEV in $FW_DEV_EXT; do
for CHAIN in forward_ext forward_dmz forward_int; do
$LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT-SNAT " -s $PRIV1 -d 0/0 -o $DEV
$IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s $PRIV1 -d 0/0 -o $DEV
$LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT-SNAT " -s $PRIV2 -d 0/0 -o $DEV
$IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s $PRIV2 -d 0/0 -o $DEV
done
$IPTABLES -A POSTROUTING -j SNAT -t nat -s $PRIV1 -d 0/0 --to-source $PUB1 -o $DEV
$IPTABLES -A POSTROUTING -j SNAT -t nat -s $PRIV2 -d 0/0 --to-source $PUB2 -o $DEV
done
========== snip
Regards, Andy
- --
Andreas J. Mueller email: