Firewall Wizards mailing list archives
Re: Non-NAT Firewall
From: Sigurd Urdahl <sigurdur () linpro no>
Date: 11 Nov 2005 00:15:44 +0100
Nathaniel Hall <nathaniel.d.hall () gmail com> writes:
Alright, this is a bit tough to explain, so I will try my best. I am currently running a CheckPoint-NG firewall with three interfaces. Interface 1 goes to DMZ 1 (public IP addressing and Internet facing), interface 2 goes to DMZ 2 (public IP addressing) and interface 3 goes to the internal network (private IP addressing). The CheckPoint FW does not peform NAT. That allows me to review logs of servers in DMZ 1 without having to figure out what internal IP as NATed. Now, for my problem. I would like to be able to have the same functionality using NetFilter, but I have not been able to figure out how to do this without masquerading or using DNAT and SNAT. Any ideas?
I don't get it. You say the CP box doesn't do NAT. But I assume you still have the internal clients accessing the Internat NATed? If what you want is to have traffic from the internal net not be NATed if going to one of the DMZ's, but NATed if going to the internet you should probably be able to do something like this: iptables -t nat -A PREROUTING -i eth2 --destination $DMZ1 --source $INTERNAL -j ACCEPT iptables -t nat -A PREROUTING -i eth2 --destination $DMZ2 --source $INTERNAL -j ACCEPT iptables -t nat -A PREROUTING -i eth2 --destination $DMZ1 --source $INTERNAL -j DNAT --to $EXTERNAL_IP with $DMZ1, $DMZ2 and $INTERNAL being the different nets, e.g 10.12.25.0/24 and $EXTERNAL_IP being the address on the firewall that you want the clients to come through when going out on the Internet. And of course you'll have to adjust the targets, you most likely will want to jump to a chain with rules instead of to ACCEPT. And make those chains end in a DROP or something, otherwise packets might fall through and hit the DNAT-rule. Disclaimer: I haven't tested that this actually works (need to rebuild that testbox:-), but at least iptables doesn't complain when I try to add that kind of rules to my workstation. kind regards, -sig -- Sigurd Urdahl sigurdur () linpro no Systemkonsulent og sånt Systems consultant and such Linpro A/S http://www.linpro.no/ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Non-NAT Firewall Nathaniel Hall (Nov 10)
- Re: Non-NAT Firewall Devdas Bhagat (Nov 17)
- RE: Non-NAT Firewall Paul Melson (Nov 17)
- Re: Non-NAT Firewall Sigurd Urdahl (Nov 17)
- Re: Non-NAT Firewall Nathaniel Hall (Nov 17)
- Re: Non-NAT Firewall R. DuFresne (Nov 22)