NATting external ip addresses to internal adddress problem

• Next message: ujay: "Re: How to "save" the current iptables setup"
• Previous message: Kasper Dupont: "Re: logging"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: martinb@go2.ie (Martin)
Date: 30 Jan 2002 10:09:35 -0800

Hi all,

My problem is thus, I have a firewall machine and a dmz machine behind
the firewall. The firewall has three cards in it an EXTIF(eth0), a
DMZIF(eth1) and eth2 whis is not being used yet. I have a few spare
external ip addresses one of which is the EXT_TEST address of
62.xxx.xxx.xxx.
If you havent already guessed the functionality I require is for pings
and eventually other traffice directed at EXT_TEST address to be
NATted to the internal DMZ_TEST address and thus forwared on to my dmz
machine. However if I try to ping EXT_TEST all i get is a load of arp
request on the external interface of the firewall. I have a feeling
that it is something other than the firewall script (below) which I'm
using, can anyone help??

arp requests from tcpdump are as follows(there are about 10 of these
for 3 ping requests, all the same) (the address im pinging) (my
address)
18:00:09.902601 arp who-has 62.xx.xxx.124 tell 62.xx.xxx.xxx

my routing table is as follows:

Destination Gateway Genmask Flags Metric Ref
Use Iface
62.xx.xxx.xx * 255.255.255.224 U 0 0
0 eth0
10.xx.xx.x * 255.255.255.0 U 0 0
0 eth1
10.xx.xx.x * 255.255.255.0 U 0 0
0 eth2
127.0.0.0 * 255.0.0.0 U 0 0
0 lo
default 62.xx.xx.xxx 0.0.0.0 UG 0 0
0 eth0

and my iptables script is as follows:

function setup_test_firewall()
{
   # setup_fw_general
   setup_test_fw_flush #flush out each chain
   setup_test_fw_blockall #set default policy to drop all
unmatched packets
   setup_test_fw_general
   setup_test_fw_allow_ssh_to_fw #allow ssh access to the firewall
   setup_test_fw_nat
   setup_test_fw_allow_ssh_to_dmz
   setup_test_fw_allow_icmp
}
function setup_test_fw_flush()
{
  echo "Flushing old rulsets.."
   $IPTABLES -F INPUT
   $IPTABLES -F OUTPUT
   $IPTABLES -F FORWARD
}
function setup_test_fw_blockall()
{
  echo "setting default drop policy.."
   $IPTABLES -t filter -P INPUT DROP
   $IPTABLES -t filter -P OUTPUT DROP
   $IPTABLES -t filter -P FORWARD DROP
}
function setup_test_fw_allow_ssh_to_fw()
{
   echo "allowing ssh access to the firewall.."
   $IPTABLES -t filter -A INPUT -s 62.xx.xxx.97 -p tcp --dport 22 -j
ACCEPT
   #$IPTABLES -t filter -A INPUT -s 127.0.0.1 -j ACCEPT
}
function setup_test_fw_allow_ssh_to_dmz()
{
  #$IPTABLES -t filter -A FORWARD -j ACCEPT -m state --state NEW
  $IPTABLES -t filter -A FORWARD -j ACCEPT -m state --state
ESTABLISHED,RELATED
  $IPTABLES -t filter -A FORWARD -i $DMZIF -o $EXTIF -j ACCEPT
  $IPTABLES -t filter -A FORWARD -i $EXTIF -o $DMZIF -j ACCEPT
  $IPTABLES -t filter -A FORWARD -s $DMZ_TEST -j ACCEPT
  #$IPTABLES -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
}

function setup_test_fw_allow_icmp()
{
 $IPTABLES -t filter -A FORWARD -p icmp -j ACCEPT
 $IPTABLES -t filter -A INPUT -p icmp -j ACCEPT
 $IPTABLES -t filter -A OUTPUT -p icmp -j ACCEPT
  }
function setup_test_fw_general()
{
  # allow all ESTABLISHED, RELATED traffic out from the firewall
  echo "Est and related on OUTPUT"
  $IPTABLES -t filter -A OUTPUT -j ACCEPT -m state --state
ESTABLISHED,RELATED
  echo "Est and related on INPUT"
  $IPTABLES -t filter -A INPUT -j ACCEPT -m state --state
ESTABLISHED,RELATED
}
function setup_test_fw_nat()
{
  echo "Loading iptable_nat module.."
  /sbin/modprobe iptable_nat

  echo "Setting up Nat"
  echo " Enabling IP forwarding." ##needed for Nat
  echo "1" > /proc/sys/net/ipv4/ip_forward

 $IPTABLES -t nat -A PREROUTING -p tcp --dport 22 -d $EXT_TEST -j DNAT
--to-destination $DMZ_TEST
  $IPTABLES -t nat -A POSTROUTING -p tcp -s $DMZ_TEST -j SNAT
--to-source $EXT_TEST
  $IPTABLES -t nat -A PREROUTING -p icmp -d $EXT_TEST -j DNAT
--to-destination $DMZ_TEST
  $IPTABLES -t nat -A POSTROUTING -p icmp -s $DMZ_TEST -j SNAT
--to-source $EXT_TEST
}

Martin

• Next message: ujay: "Re: How to "save" the current iptables setup"
• Previous message: Kasper Dupont: "Re: logging"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages iptables and nat ... I have a firewall machine which is connected ... expected to the dmz machine but it doesnt respond. ... 62.xxx.xxx.xxx> Test_DMZ: icmp: echo request ... A section of my iptables script is below.Can anyone see where im going ... (comp.os.linux.security) Re: Trouble accessing Outlook Web Access from behind firewall ... When starting the firewall I also set ... > rejected and dropped packets are logged, however I see nothing in my log ... > # Higher ports needed to accept incoming/outgoing calls ... (comp.security.firewalls) Re: Shorewall glitch ... # Sets minimal Iptables Security ... Im using Shorewall as we ... That rule allows you to run an SSH server on your firewall and connect ... (comp.os.linux.security) Re: IPTables Blocking Outbound by destination port. ... # firewall Firewall startup/shutdown script ... echo "firewall: ... # for each additional server running from 6000 to 6063. ... Clients may access remote POP-3 servers" ... (comp.security.firewalls) Redhat 7.3 firewall issues ... I have installed Redhat 7.3 which is acting as my firewall and router. ... echo " External Interface: $EXTIF" ... $IPTABLES -P INPUT ACCEPT ... (comp.os.linux.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint