Re: [fw-wiz] Non-NAT Firewall

From: R. DuFresne (
Date: 11/18/05

  • Next message: Patrick M. Hausen: "Re: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
    To: Sigurd Urdahl <>
    Date: Fri, 18 Nov 2005 11:37:47 -0500 (EST)

    Hash: SHA1

    On Thu, 11 Nov 2005, Sigurd Urdahl wrote:

    > Nathaniel Hall <> writes:
    >> Alright, this is a bit tough to explain, so I will try my best.
    >> I am currently running a CheckPoint-NG firewall with three interfaces.
    >> Interface 1 goes to DMZ 1 (public IP addressing and Internet facing),
    >> interface 2 goes to DMZ 2 (public IP addressing) and interface 3 goes to
    >> the internal network (private IP addressing). The CheckPoint FW does
    >> not peform NAT. That allows me to review logs of servers in DMZ 1
    >> without having to figure out what internal IP as NATed.
    >> Now, for my problem. I would like to be able to have the same
    >> functionality using NetFilter, but I have not been able to figure out
    >> how to do this without masquerading or using DNAT and SNAT. Any ideas?
    > I don't get it. You say the CP box doesn't do NAT. But I assume you
    > still have the internal clients accessing the Internat NATed?
    > If what you want is to have traffic from the internal net not be NATed
    > if going to one of the DMZ's, but NATed if going to the internet you
    > should probably be able to do something like this:
    > iptables -t nat -A PREROUTING -i eth2 --destination $DMZ1 --source $INTERNAL -j ACCEPT
    > iptables -t nat -A PREROUTING -i eth2 --destination $DMZ2 --source $INTERNAL -j ACCEPT
    > iptables -t nat -A PREROUTING -i eth2 --destination $DMZ1 --source $INTERNAL -j DNAT --to $EXTERNAL_IP
    > with $DMZ1, $DMZ2 and $INTERNAL being the different nets, e.g
    > and $EXTERNAL_IP being the address on the firewall that
    > you want the clients to come through when going out on the
    > Internet. And of course you'll have to adjust the targets, you most
    > likely will want to jump to a chain with rules instead of to
    > ACCEPT. And make those chains end in a DROP or something, otherwise
    > packets might fall through and hit the DNAT-rule.
    > Disclaimer: I haven't tested that this actually works (need to rebuild
    > that testbox:-), but at least iptables doesn't complain when I try
    > to add that kind of rules to my workstation.

    I keep getting the impression that NAT is taking place at least for eth2;

    "interface 3 goes to the internal network (private IP addressing)"

    And if my reading is correct then it's likely 1:1 NAT rather then mere
    masq or other forms of NAT, which is really poorly documented in the
    linux/iptable literature. We found that some ip2route majik was required
    to do 1:1 NAT under iptables;

         ip addr add {public address} dev ${outside}

    one such command per external address mapped to an inside private
    address, with pretty much open forwarding rules <-j ACCEPT>, in addition
    to the post/pre:routing rules within the iptable rulesets.

    the documentation on functionality tween iptables and the various ip2route
    utilities is poor, lacking at best, but if one taps the right folks with
    the right info they can get some of the majik chants required. iptable
    specific issues are likely best addressed to the netfilter mailing list.

    Of course, since we are reading here on the quick in work mode, perhaps
    I've missed something and am entirely off-base here.


    Ron DuFresne
    - --
             admin & senior security consultant:
    Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

    ...We waste time looking for the perfect lover
    instead of creating the perfect love.

                     -Tom Robbins <Still Life With Woodpecker>
    Version: GnuPG v1.2.4 (GNU/Linux)

    -----END PGP SIGNATURE-----
    firewall-wizards mailing list

  • Next message: Patrick M. Hausen: "Re: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"