On Tuesday 02 July 2002 8:34 pm, Ben wrote: > I've got a basic nat setup: > > internet > +====+=====+ eth0: 1.2.3.4 > | firewall | > +====+=====+ eth1: 10.0.0.1 > > +====+=====+ eth0: 10.0.0.2 > | server | > +==========+ > > What I would like is for packets coming from the server (10.0.0.2) to get > SNAT'd to the firewall's IP address, 1.2.3.4. It seems easy enough to do: > > iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.2 -j SNAT --to 1.2.3.4 > > But now I don't see how return packets are going to make it back to my > server, because the firewall is going to think they are destined for it.
You forget that there is magic inside netfilter :-) Just use the above rule (along with the appropriate FORWARD rules for server-bound requests and internet-bound replies), and it will all work wonderfully :-) > If I add the rule: > > iptables -t nat -A PREROUTING -d 1.2.3.4 -i ! eth0 -j DNAT --to 10.0.0.2 > > Then it seems I lose the ability for the firewall to run anything > accessable to the outside world, like ssh. Yes, you are correct, so do not add the above rule :-) Okay, for a more serious answer.... You are thinking only about IP addresses, and forgetting about port numbers. The firewall can use the port numbers to identify which incoming packets from the Internet are responses to packets it previously translated from the server, and it will automatically translate these replies back to the server; however any other packets with port numbers which do not correspond to previously sent packets do not get automagically translated, and therefore terminate on the firewall (eg SSH). You never normally need to include the second rule you've written unless you really do want all packets for IP 1.2.3.4 to be sent on to 10.0.0.2 - in most cases you only want this to happen for a few special port numbers (eg TCP port 80 if the server is a web server, TCP port 25 is it's a mail server, UDP & TCP ports 53 if it's a DNS server, etc). Therefore I suggest you use something like the following rules (I am assuming for this example that the server is a web server running http and not https): iptables -A PREROUTING -t nat -d 1.2.3.4 -p tcp --dport 80 -i eth0 -j DNAT --to 10.0.0.2 iptables -A FORWARD -p tcp--dport 80 -d 10.0.0.2 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A POSTROUTING -t nat -s 10.0.0.2 -o eth0 -j SNAT --to 1.2.3.4 Then if you want to allow SSH to the firewall itself: iptables -A INPUT -p tcp --dport 22 -j ACCEPT (it would be good to add a -s a.b.c.d option to this if you can restrict the source address range you will be SSHing from) Antony.
