[ale] iptables problems...static NAT and filtering rules...
Christopher Woodfield
rekoil at semihuman.com
Thu Aug 5 14:49:29 EDT 2004
Hello,
I tried to set up static NAT rules on my iptables firewall, and was not
able to get it to work. A possible cause of the problem (which I
haven't been able to test yet) is that I have a series of port-specific
rules for each host in addition to the SNAT and DNAT rules.
Here are my SNAT/DNAT rules. $HOSTNAME variables are public IPs and
$HOSTNAME_NAT are private IPs; $INETIF is the outside interface and
$LANIF is the inside:
# Set up Static SNAT entries (private to public)
$IPTABLES -t nat -A POSTROUTING -o $INETIF -s $TINO_NAT -j SNAT
--to-source $TINO
$IPTABLES -t nat -A POSTROUTING -o $INETIF -s $ELECTRO_NAT -j SNAT
--to-source $ELECTRO
$IPTABLES -t nat -A POSTROUTING -o $INETIF -s $TWEEK_NAT -j SNAT
--to-source $TWEEK
# Set up Static DNAT entries (public to private)
$IPTABLES -t nat -A PREROUTING -i $INETIF -d $TINO -j DNAT
--to-destination $TINO_NAT
$IPTABLES -t nat -A PREROUTING -i $INETIF -d $ELECTRO -j DNAT
--to-destination $ELECTRO_NAT
$IPTABLES -t nat -A PREROUTING -i $INETIF -d $TWEEK -j DNAT
--to-destination $TWEEK_NAT
#
Then I have a series of port rules, an example is below:
# ssh
$IPTABLES -A FORWARD -p tcp -i $INETIF -o $LANIF -d $TINO_NAT --dport
22 -j ACCEPT
Are rules like these evaluated before or after the DNAT transformation
is done? That is, should the -d on these rules be $TINO_NAT or $TINO?
Thanks,
-C
More information about the Ale
mailing list