|
Home > Archive > Red Hat Networking > October 2005 > DNAT forwarding from two Internet connections / uplinks (fwd)
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
DNAT forwarding from two Internet connections / uplinks (fwd)
|
|
| S P Arif Sahari Wibowo 2005-09-24, 8:49 pm |
| Hi!
I am setting up a firewall that connect to two separate Internet
connection. I need to set the firewall to do DNAT forwarding
(port forwarding) using iptables to several servers inside LAN.
Do you know how to do that?
I did make the firewall reachable from second Internet
connection using iproute2 setup on different routing table. Bu
how to forward this to other server? The other server will reply
to single firewall address, how the firewall redirect reply from
second Internet connection back to the second Internet
connection?
I tried using SNAT/Masqurading on the connection going out the
firewall, but it doesn't work. First I tried using marking:
iptables -t mangle -A PREROUTING -d <address-of-2nd-internet> -j MARK --set-mark 0xb
iptables -t nat -A POSTROUTING -m mark --mark 0xb -j SNAT --to-source <fw-address-in-LAN>
This doesn't work. Then I tried just SNAT all connection:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source <fw-address-in-LAN>
But this doesn't work either.
Any idea?
I use linux 2.4.31-grsec with iptables v1.3.1
Thank you!
--
Stephan Paul Arif Sahari Wibowo
_____ _____ _____ _____
/____ /____/ /____/ /____
_____/ / / / _____/ http://www.arifsaha.com/
| |
|
| S P Arif Sahari Wibowo wrote:
> Hi!
>
> I am setting up a firewall that connect to two separate Internet
> connection. I need to set the firewall to do DNAT forwarding (port
> forwarding) using iptables to several servers inside LAN. Do you know
> how to do that?
>
> I did make the firewall reachable from second Internet connection using
> iproute2 setup on different routing table. Bu how to forward this to
> other server? The other server will reply to single firewall address,
> how the firewall redirect reply from second Internet connection back to
> the second Internet connection?
>
> I tried using SNAT/Masqurading on the connection going out the firewall,
> but it doesn't work. First I tried using marking:
>
> iptables -t mangle -A PREROUTING -d <address-of-2nd-internet> -j MARK
> --set-mark 0xb
>
> iptables -t nat -A POSTROUTING -m mark --mark 0xb -j SNAT --to-source
> <fw-address-in-LAN>
The <fw-address-in-LAN> is address of your server behind your firewall
address instead of firewall. By this way, you can make pretend this
packet out going from this server.
The <fw-address-in-LAN> act as an default gateway for server reply.
Good luck
>
>
> This doesn't work. Then I tried just SNAT all connection:
>
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source
> <fw-address-in-LAN>
>
> But this doesn't work either.
>
> Any idea?
>
> I use linux 2.4.31-grsec with iptables v1.3.1
>
> Thank you!
>
| |
| S P Arif Sahari Wibowo 2005-10-05, 9:03 pm |
| On Sun, 25 Sep 2005, root wrote:
> The <fw-address-in-LAN> is address of your server behind your
> firewall address instead of firewall. By this way, you can
> make pretend this packet out going from this server.
It doesn't make sense, but I try it anyway, and it did not work.
It doesn't make sense, since if the <fw-address-in-LAN> is a
server behind the firewall, then return packet will be sent to
that server instead of to the firewall. Means the return packet
won't go to the client outside firewall.
Maybe my question is not clear enough. I will try to clarify it.
--
Stephan Paul Arif Sahari Wibowo
_____ _____ _____ _____
/____ /____/ /____/ /____
_____/ / / / _____/ http://www.arifsaha.com/
|
|
|
|
|