Re: SNAT out same interface packets come in

To: Mark Devin <mdevin@ozemail.com.au>
Cc: debian-firewall@lists.debian.org
Subject: Re: SNAT out same interface packets come in
From: Charles Kidson <charlesk@generalpants.com.au>
Date: 27 May 2003 17:18:21 +1000
Message-id: <[🔎] 1054019902.29244.25.camel@charlie.GP_SYD>
In-reply-to: <[🔎] 3ED30554.4090307@ozemail.com.au>
References: <[🔎] 3ED30554.4090307@ozemail.com.au>

Surely you want your firewall between your customers and the router
(ie between your customers and the net.)

Internet
   |
Router
   |          - eth0
Firewall
   |          - eth1
Internal Lan


(presuming that the firewall is multihomed)

if it's like this then all you need to do is 

iptables -A POSTROUTING -i eth1 -o eth0 -j MASQUERADE


and add the forwarding rules

iptables -A FORWARD -i eth1 -s 192.168.17.0/24 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.17.0/24 -o eth1 -m state --state 
ESTABLISHED,RELATED -j ACCEPT

and set the policies to drop anything else.

i think this is correct, please inform me if it isn't

HTH,

charlie

(ps NAT is ugly, maybe using a proxy would be more suitable)

On Tue, 2003-05-27 at 16:27, Mark Devin wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I have a setup which is confusing me regarding SNAT.
> 
> Basically the network looks like:
> - ------------
> | Firewall |
> - ------------
> ~     |
> ~     |
> ~ ----------
> ~ | Router |-------------> Internet
> ~ ----------
> ~    |||
> ~    |||
> ~ ----------------------------------------
> | Customers on 192.168.17.0/24 addresses |
> ~ ----------------------------------------
> 
> Customers trying to connect to services on the internet send traffic to
> the router which forwards it to the firewall box.  The firewall box then
> needs to NAT these packets and send them back out the same interface to
> the router.  The router then will send these packets (now with source
> address of the firewall) out to the internet.
> 
> How do you do this?  Is it possible?
> 
> I was thinking having a POSTROUTING rule like:
> $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.17.0/24 \
> ~    -j SNAT --to-source $INET_IPADDR
> 
> And then two FORWARD rules like:
> $IPTABLES -A FORWARD -i eth0 -o eth0 -s 192.168.17.0/24 -j ACCEPT
> $IPTABLES -A FORWARD -i eth0 -o eth0 -d 192.168.17.0/24 -j ACCEPT
> 
> Notice that in interface and the out interface are both eth0.  I am
> confused about this.  Can you even have a rule on the FORWARD chain
> which goes in and out the same interface?
> 
> If anyone can enlighten me I would be grateful.
> 
> Regards.
> Mark.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQE+0wVUL/zYpWVgapgRAmaJAJ0c0mHCnR9/E8o6LlMidVhk0Xas6QCcDWqe
> lPJaGWutaWpgMtm1XwnvBFA=
> =aTk+
> -----END PGP SIGNATURE-----
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>

Reply to:

Follow-Ups:
- Re: SNAT out same interface packets come in
  - From: Mark Devin <mdevin@ozemail.com.au>

References:
- SNAT out same interface packets come in
  - From: Mark Devin <mdevin@ozemail.com.au>

Prev by Date: SNAT out same interface packets come in
Next by Date: Re: SNAT out same interface packets come in
Previous by thread: SNAT out same interface packets come in
Next by thread: Re: SNAT out same interface packets come in
Index(es):
- Date
- Thread