Re: [fw-wiz] Non-NAT Firewall
From: Sigurd Urdahl (sigurdur_at_linpro.no)
Date: 11/11/05
- Previous message: Paul Melson: "RE: [fw-wiz] medical records, web server, & stateful firewall vs packet filter"
- In reply to: Nathaniel Hall: "[fw-wiz] Non-NAT Firewall"
- Next in thread: Nathaniel Hall: "Re: [fw-wiz] Non-NAT Firewall"
- Reply: Nathaniel Hall: "Re: [fw-wiz] Non-NAT Firewall"
- Reply: R. DuFresne: "Re: [fw-wiz] Non-NAT Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: 11 Nov 2005 00:15:44 +0100
Nathaniel Hall <nathaniel.d.hall@gmail.com> writes:
> Alright, this is a bit tough to explain, so I will try my best.
>
> I am currently running a CheckPoint-NG firewall with three interfaces.
> Interface 1 goes to DMZ 1 (public IP addressing and Internet facing),
> interface 2 goes to DMZ 2 (public IP addressing) and interface 3 goes to
> the internal network (private IP addressing). The CheckPoint FW does
> not peform NAT. That allows me to review logs of servers in DMZ 1
> without having to figure out what internal IP as NATed.
>
> Now, for my problem. I would like to be able to have the same
> functionality using NetFilter, but I have not been able to figure out
> how to do this without masquerading or using DNAT and SNAT. Any ideas?
I don't get it. You say the CP box doesn't do NAT. But I assume you
still have the internal clients accessing the Internat NATed?
If what you want is to have traffic from the internal net not be NATed
if going to one of the DMZ's, but NATed if going to the internet you
should probably be able to do something like this:
iptables -t nat -A PREROUTING -i eth2 --destination $DMZ1 --source $INTERNAL -j ACCEPT
iptables -t nat -A PREROUTING -i eth2 --destination $DMZ2 --source $INTERNAL -j ACCEPT
iptables -t nat -A PREROUTING -i eth2 --destination $DMZ1 --source $INTERNAL -j DNAT --to $EXTERNAL_IP
with $DMZ1, $DMZ2 and $INTERNAL being the different nets, e.g
10.12.25.0/24 and $EXTERNAL_IP being the address on the firewall that
you want the clients to come through when going out on the
Internet. And of course you'll have to adjust the targets, you most
likely will want to jump to a chain with rules instead of to
ACCEPT. And make those chains end in a DROP or something, otherwise
packets might fall through and hit the DNAT-rule.
Disclaimer: I haven't tested that this actually works (need to rebuild
that testbox:-), but at least iptables doesn't complain when I try
to add that kind of rules to my workstation.
kind regards,
-sig
-- Sigurd Urdahl sigurdur@linpro.no Systemkonsulent og sånt Systems consultant and such Linpro A/S http://www.linpro.no/ _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Paul Melson: "RE: [fw-wiz] medical records, web server, & stateful firewall vs packet filter"
- In reply to: Nathaniel Hall: "[fw-wiz] Non-NAT Firewall"
- Next in thread: Nathaniel Hall: "Re: [fw-wiz] Non-NAT Firewall"
- Reply: Nathaniel Hall: "Re: [fw-wiz] Non-NAT Firewall"
- Reply: R. DuFresne: "Re: [fw-wiz] Non-NAT Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
