Firewall Wizards mailing list archives

Re: Non-NAT Firewall

From: Sigurd Urdahl <sigurdur () linpro no>
Date: 11 Nov 2005 00:15:44 +0100

Nathaniel Hall <nathaniel.d.hall () gmail com> writes:

Alright, this is a bit tough to explain, so I will try my best.

I am currently running a CheckPoint-NG firewall with three interfaces. 
Interface 1 goes to DMZ 1 (public IP addressing and Internet facing),
interface 2 goes to DMZ 2 (public IP addressing) and interface 3 goes to
the internal network (private IP addressing).  The CheckPoint FW does
not peform NAT.  That allows me to review logs of servers in DMZ 1
without having to figure out what internal IP as NATed.

Now, for my problem.  I would like to be able to have the same
functionality using NetFilter, but I have not been able to figure out
how to do this without masquerading or using DNAT and SNAT.  Any ideas?


I don't get it. You say the CP box doesn't do NAT. But I assume you
still have the internal clients accessing the Internat NATed?

If what you want is to have traffic from the internal net not be NATed
if going to one of the DMZ's, but NATed if going to the internet you
should probably be able to do something like this:

iptables -t nat -A PREROUTING -i eth2 --destination $DMZ1 --source $INTERNAL -j ACCEPT
iptables -t nat -A PREROUTING -i eth2 --destination $DMZ2 --source $INTERNAL -j ACCEPT
iptables -t nat -A PREROUTING -i eth2 --destination $DMZ1 --source $INTERNAL -j DNAT --to $EXTERNAL_IP

with $DMZ1, $DMZ2 and $INTERNAL being the different nets, e.g
10.12.25.0/24 and $EXTERNAL_IP being the address on the firewall that
you want the clients to come through when going out on the
Internet. And of course you'll have to adjust the targets, you most
likely will want to jump to a chain with rules instead of to
ACCEPT. And make those chains end in a DROP or something, otherwise
packets might fall through and hit the DNAT-rule.


Disclaimer: I haven't tested that this actually works (need to rebuild
that testbox:-), but at least iptables doesn't complain when I try
to add that kind of rules to my workstation.

kind regards,

-sig
-- 
Sigurd Urdahl                           sigurdur () linpro no
Systemkonsulent og sånt        Systems consultant and such
Linpro A/S                           http://www.linpro.no/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Non-NAT Firewall Nathaniel Hall (Nov 10)
- Re: Non-NAT Firewall Devdas Bhagat (Nov 17)
- RE: Non-NAT Firewall Paul Melson (Nov 17)
- Re: Non-NAT Firewall Sigurd Urdahl (Nov 17)
  - Re: Non-NAT Firewall Nathaniel Hall (Nov 17)
  - Re: Non-NAT Firewall R. DuFresne (Nov 22)