Hi Carl
Why not just routing ? Imho, if you simply want a connection from the office
network (129.158.166.0/23) to the database servers network (10.100.1.0/24),
there is no need to nat any addresses. Your linux box simply acts as router.
Don't forget to activate ip forwarding (echo 1 > /proc/sys/net/ipv4/ip_forward)
on the linux box and ensure that routing on the database servers is set up
properly. If they just have a default route entry, which is not the linux box
itself, packets will never get back to the office network.
If you want a office network ip to be nated, do source nat like this:
iptables -t nat -A POSTROUTING -o eth1 -s 129.158.166.0/23 -j SNAT --to
10.100.1.2
With the rule above, packets will be nated to the ip of the linux box on the
database servers network. So you don't need to worry about routing.
Of course, for both simple routing and source nat, you have to set up routing
on the office network machines for the database servers network:
route add -net 10.100.1.0 netmask 255.255.255.0 gw 129.158.166.1
Btw. I like the netfilter package very much. You could also try ipfilter, but
as far as I know it runs only on 2.0 Kernels. If you don't care about using
linux or not, try free -or openbsd. There is ipfilter included.
Cheers
Phibo
On Thu, 07 Dec 2000, Carl Ma wrote:
>Dear all,
>
>I am looking for the NAT solution on Linux( RedHat 6.2). What I hope to do is
>static NAT as following:
>
>Office network gateway machine database servers network
>129.158.166.0/23---| |------ 10.100.1.0/24 --server 1
> | |
> eth0 eth1
> 129.158.166.1 10.100.1.2
> eth0:0
> 129.158.166.2
>server 1 - one of database server in "database servers network", ip is
>10.100.1.10.
>gateway machine - linux 6.2(kernel 2.4-test11 with Netfilter & NAT support)
>
>I hope users could talk to database server from office network. So I did the
>alias on eth0 and want to the NAT from 129.158.166.2 to 10.100.1.10. What I did
>is using iptables as following:
>#iptables -P INPUT ACCEPT
>#iptables -P OUTPUT ACCEPT
>#iptables -P FORWARD ACCEPT
>#iptables -t nat -A PREROUTING -i eth0 -p tcp -d 129.158.166.2 --dport 23 -j
>DNAT --to 10.100.1.10:23 <=test the telnet
>
>After that I telnet 129.158.166.2 from office, the telnet session just hang. I
>use the "tcpdump" to check the eth0, eth1. Both have packages flow.
>
>I do not know what wrong with my iptables configuration and is there any other
>better NAT solution on linux?
>
>Appreciate any suggestions!
>
>carl
>
>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
