This one time, at band camp, Markus Trümper said: > Hello, > > I'm trying to set up a firewall to do static NAT between two networks: > > internal network > 192.168.1.0/24 > > server 192.168.1.3 > | > LAN_IF 192.168.1.7 > Firewall > EXT_IF 10.80.137.1, 10.80.137.10 > | > DMZ > 10.80.137.0/24 > > 'server' should be reachable from the DMZ by talking to 10.80.137.1. That > address has no other purpose. > Default policies are currently ACCEPT. All the tables have been cleared before > I installed the rules posted below. > Testing is done by connecting a dedicated computer to each interface and trying > to reach the one on the internal net from the DMZ. The firewall can reach each > computer and each computer can reach the firewall (ping).
I'm not sure I get you here. Do you want 192.168.1.3 to appear as though it's running on 10.80.137.1, or do you want it to appear as itself, but be protected by a firewall? You're just connecting two private networks (one a DMZ), and you set aside an IP that will map to the DMZ address, correct? > My rules so far don't work. I can not reach 'server' by talking to 10.80.137.1 > on the external IF of the Firewall. Any idea why? > > I hope that the two networks are both private networks does not create a problem > here. No, that's no problem. OK, so I think what you have on the firewall machine is: eth0 ip 192.168.1.7 eth1 ip 10.80.137.10 eth1:0 ip 10.80.137.1 (I will base my rules on that idea - if not, substitute) If you want requests to go to 10.80.137.1: DMZ_IP=10.80.137.1 LAN_SERVER=192.168.1.3 for port in $server_ports; do iptables -A FORWARD -p tcp --dport $port -j ACCEPT iptables -t nat -A PREROUTING -d $DMZ_IP --dport $port -j DNAT --to $LAN_SERVER:$port done If you want requests to go to 192.168.1.3: LAN_SERVER=192.168.1.3 for port in $server_ports; do iptables -A FORWARD -p tcp -i eth1 -d $LAN_SERVER --dport $port -j ACCEPT done This will not forward pings and such, only direct queries to the relevant ports. If you want to forward pings or something else (udp traffic, etc) you'll have to set that up. Also adding ESTABLISHED,RELATED checking would be good, all the usual stuff. Note - these rules are pretty rough, and also pretty open. Look them over carefully. I haven't had much coffee yet :) HTH, -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : [EMAIL PROTECTED] | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
pgpzLGQ6v6xiE.pgp
Description: PGP signature
