Re: Non-NAT Firewall

["R. DuFresne" <dufresne () sysinfo com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 11 Nov 2005, Sigurd Urdahl wrote:

> Nathaniel Hall <nathaniel.d.hall () gmail com> writes:
>
> > Alright, this is a bit tough to explain, so I will try my best.
> >
> > I am currently running a CheckPoint-NG firewall with three interfaces.
> > Interface 1 goes to DMZ 1 (public IP addressing and Internet facing),
> > interface 2 goes to DMZ 2 (public IP addressing) and interface 3 goes to
> > the internal network (private IP addressing).  The CheckPoint FW does
> > not peform NAT.  That allows me to review logs of servers in DMZ 1
> > without having to figure out what internal IP as NATed.
> >
> > Now, for my problem.  I would like to be able to have the same
> > functionality using NetFilter, but I have not been able to figure out
> > how to do this without masquerading or using DNAT and SNAT.  Any ideas?
>
> I don't get it. You say the CP box doesn't do NAT. But I assume you
> still have the internal clients accessing the Internat NATed?
>
> If what you want is to have traffic from the internal net not be NATed
> if going to one of the DMZ's, but NATed if going to the internet you
> should probably be able to do something like this:
>
> iptables -t nat -A PREROUTING -i eth2 --destination $DMZ1 --source $INTERNAL -j ACCEPT
> iptables -t nat -A PREROUTING -i eth2 --destination $DMZ2 --source $INTERNAL -j ACCEPT
> iptables -t nat -A PREROUTING -i eth2 --destination $DMZ1 --source $INTERNAL -j DNAT --to $EXTERNAL_IP
>
> with $DMZ1, $DMZ2 and $INTERNAL being the different nets, e.g
> 10.12.25.0/24 and $EXTERNAL_IP being the address on the firewall that
> you want the clients to come through when going out on the
> Internet. And of course you'll have to adjust the targets, you most
> likely will want to jump to a chain with rules instead of to
> ACCEPT. And make those chains end in a DROP or something, otherwise
> packets might fall through and hit the DNAT-rule.
>
>
> Disclaimer: I haven't tested that this actually works (need to rebuild
> that testbox:-), but at least iptables doesn't complain when I try
> to add that kind of rules to my workstation.


I keep getting the impression that NAT is taking place at least for eth2;

"interface 3 goes to the internal network (private IP addressing)"

And if my reading is correct then it's likely 1:1 NAT rather then mere 
masq or other forms of NAT, which is really poorly documented in the 
linux/iptable literature.  We found that some ip2route majik was required 
to do 1:1 NAT under iptables;


    ip addr add {public address} dev ${outside}

one such command per external address mapped to an inside private 
address, with pretty much open forwarding rules <-j ACCEPT>, in addition 
to the post/pre:routing rules within the iptable rulesets.

the documentation on functionality tween iptables and the various ip2route 
utilities is poor, lacking at best, but if one taps the right folks with 
the right info they can get some of the majik chants required.  iptable 
specific issues are likely best addressed to the netfilter mailing list.

Of course, since we are reading here on the quick in work mode, perhaps 
I've missed something and am entirely off-base here.

Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDfgNest+vzJSwZikRAtMTAJ9LL5DcZBUVq0luXGxbGkcDHY0WdwCfR6El
1H4ztWfpEUgLRO+pxKaBKW0=
=iSNJ
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards