Is there any problem in my iptables table?
This is a discussion on Is there any problem in my iptables table? within the Linux Networking forums, part of the Linux Forums category; Our office network is as below. | Linux Box | -- E1 line -- | eth0 | eth1 | ---------- office pc, demo pc -- Cable line-| eth2 | eth0: ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-12-2004
|
|||
|
|||
Is there any problem in my iptables table?
Our office network is as below.
| Linux Box | -- E1 line -- | eth0 | eth1 | ---------- office pc, demo pc -- Cable line-| eth2 | eth0: GW 211.104.XXX.94, ip 211.104.xxx.67, netmask 255.255.255.224 eth2: dhcp eth1: GW 192.168.1.1 ip 192.168.1.1 netmask 255.255.255.0 In my office, some demo server and pc need to use public ip. Of course, it's very easy. Only using iptables DNAT table. But someone request me to set the firewall to connect demo pc by using public ip in our office. So I have used some tricks on the iptables. 1:iptables -t nat -A PREROUTING -d demopc's public ip -i eth 0 -j DNAT --to demopc's private ip. 2: iptables -t nat -A PREROUTING -d demopc's public ip -i eth 1 -j DNAT --to demopc's private ip. 3: iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d ! 192.168.1.0/24 -o eth0 -j SNAT --to 211.104.xxx.67 4: iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d ! 192.168.1.0/24 -o eth1 -j SNAT --to 211.104.xxx.67 2, 4 table is added for connecting to demo server by using public ip. In other word, all pc connect to server in the condition of SNAT base. is there any problem? -- ================================== Cybermed,Inc Assistant manager of marketing team Jiwon, Han Tel: 82-2-545-4282 Fax: 82-2-545-6042 E-Mail: jwhan@cybermed.co.kr Homepage: www.cybermed.co.kr =================================== 
|
|
06-12-2004
|
|||
|
|||
|
Re: Is there any problem in my iptables table?
"jwhan" <jwhan@cybermed.co.kr> wrote news:cadng3$258$1@news1.kornet.net:
> 1:iptables -t nat -A PREROUTING -d demopc's public ip -i eth 0 -j DNAT > --to demopc's private ip. > 2: iptables -t nat -A PREROUTING -d demopc's public ip -i eth 1 -j > DNAT --to demopc's private ip. Ok > 3: iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d ! > 192.168.1.0/24 -o eth0 -j SNAT --to 211.104.xxx.67 If eth0 is your "outdoor" interface, you may not need this rule. Return packet will be forward to the sender to its source address. This works because you go pass the firewall throw 2 interfaces. > 4: iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d ! > 192.168.1.0/24 -o eth1 -j SNAT --to 211.104.xxx.67 If 211.104.xxx.67 is your public ip address, I suggest you to set your firewall private address instead (192.168.0.x), else the rule 2 may applied on the return packet and resent the packet to your server (looping the trafic). Regards
|
Linear Mode
