Help with NAT
mlist@rrbsystems.ch
mlist@rrbsystems.ch
Wed, 09 Jan 2002 19:27:04 +0100 (CET)
Hello
As you can see I use the iptables utility for accountiong.
We have two privat networks (172.16.10.0 and 172.16.133.0) wich are connected
to the firewall. In the network 172.16.133.0 are some web-, mail- and ftp
servers. From the outside (internet) they have be accessable via a public IP.
That means that the web server 172.16.133.58 should have a public IP
1.2.133.58 for example. I tried this with:
$IPTABLES -t nat -A POSTROUTING -s 172.16.133.58 -o $EXT -j SNAT --to-source
1.2.133.58
but it dosen't work.
Can somebody help me and complete my firewall script.
Thanks a lot for your help
Damian
#!/bin/bash
# Firewall script
#==============================================================================
# Variablen
#==============================================================================
modprobe ip_tables
modprobe ip_conntrack
IPTABLES=/usr/sbin/iptables
PUBLIC_NET=1.2.133.0/24
PRIVAT_NET=172.16.0.0/16
#==============================================================================
# Grundkonfiguration
#==============================================================================
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#==============================================================================
# Default Policy und flush
#==============================================================================
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
#==============================================================================
# Accounting
#==============================================================================
$IPTABLES -A FORWARD -s 172.16.10.40
$IPTABLES -A FORWARD -d 172.16.10.40
$IPTABLES -A FORWARD -s 172.16.133.58
$IPTABLES -A FORWARD -d 172.16.133.58
#==============================================================================
# ausgehende Pakete bei bereits aufgebauter Verbindung
#==============================================================================
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INT -o $EXT -m state --state ESTABLISHED,RELATED -j
ACCEPT
#==============================================================================
# eingehende Pakete zu einer bestehenden Verbindung
#==============================================================================
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 172.16.133.58 -o $EXT -j SNAT --to-source
193.193.133.58eeds
#==============================================================================
# Source NAT
#==============================================================================
$IPTABLES -t nat -A POSTROUTING -s 172.16.133.58 -o $EXT -j SNAT --to-source
193.193.133.58
#==============================================================================
# Masquerading
#==============================================================================
$IPTABLES -t nat -A POSTROUTING -s $PRIVAT_NET -o $EXT -j MASQUERADE