Re: SNAT out same interface packets come in
Surely you want your firewall between your customers and the router
(ie between your customers and the net.)
Internet
|
Router
| - eth0
Firewall
| - eth1
Internal Lan
(presuming that the firewall is multihomed)
if it's like this then all you need to do is
iptables -A POSTROUTING -i eth1 -o eth0 -j MASQUERADE
and add the forwarding rules
iptables -A FORWARD -i eth1 -s 192.168.17.0/24 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.17.0/24 -o eth1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
and set the policies to drop anything else.
i think this is correct, please inform me if it isn't
HTH,
charlie
(ps NAT is ugly, maybe using a proxy would be more suitable)
On Tue, 2003-05-27 at 16:27, Mark Devin wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I have a setup which is confusing me regarding SNAT.
>
> Basically the network looks like:
> - ------------
> | Firewall |
> - ------------
> ~ |
> ~ |
> ~ ----------
> ~ | Router |-------------> Internet
> ~ ----------
> ~ |||
> ~ |||
> ~ ----------------------------------------
> | Customers on 192.168.17.0/24 addresses |
> ~ ----------------------------------------
>
> Customers trying to connect to services on the internet send traffic to
> the router which forwards it to the firewall box. The firewall box then
> needs to NAT these packets and send them back out the same interface to
> the router. The router then will send these packets (now with source
> address of the firewall) out to the internet.
>
> How do you do this? Is it possible?
>
> I was thinking having a POSTROUTING rule like:
> $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.17.0/24 \
> ~ -j SNAT --to-source $INET_IPADDR
>
> And then two FORWARD rules like:
> $IPTABLES -A FORWARD -i eth0 -o eth0 -s 192.168.17.0/24 -j ACCEPT
> $IPTABLES -A FORWARD -i eth0 -o eth0 -d 192.168.17.0/24 -j ACCEPT
>
> Notice that in interface and the out interface are both eth0. I am
> confused about this. Can you even have a rule on the FORWARD chain
> which goes in and out the same interface?
>
> If anyone can enlighten me I would be grateful.
>
> Regards.
> Mark.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQE+0wVUL/zYpWVgapgRAmaJAJ0c0mHCnR9/E8o6LlMidVhk0Xas6QCcDWqe
> lPJaGWutaWpgMtm1XwnvBFA=
> =aTk+
> -----END PGP SIGNATURE-----
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
Reply to: