Firewall Wizards mailing list archives
Re: Non-NAT Firewall
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Fri, 18 Nov 2005 11:37:47 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 11 Nov 2005, Sigurd Urdahl wrote:
Nathaniel Hall <nathaniel.d.hall () gmail com> writes:Alright, this is a bit tough to explain, so I will try my best. I am currently running a CheckPoint-NG firewall with three interfaces. Interface 1 goes to DMZ 1 (public IP addressing and Internet facing), interface 2 goes to DMZ 2 (public IP addressing) and interface 3 goes to the internal network (private IP addressing). The CheckPoint FW does not peform NAT. That allows me to review logs of servers in DMZ 1 without having to figure out what internal IP as NATed. Now, for my problem. I would like to be able to have the same functionality using NetFilter, but I have not been able to figure out how to do this without masquerading or using DNAT and SNAT. Any ideas?I don't get it. You say the CP box doesn't do NAT. But I assume you still have the internal clients accessing the Internat NATed? If what you want is to have traffic from the internal net not be NATed if going to one of the DMZ's, but NATed if going to the internet you should probably be able to do something like this: iptables -t nat -A PREROUTING -i eth2 --destination $DMZ1 --source $INTERNAL -j ACCEPT iptables -t nat -A PREROUTING -i eth2 --destination $DMZ2 --source $INTERNAL -j ACCEPT iptables -t nat -A PREROUTING -i eth2 --destination $DMZ1 --source $INTERNAL -j DNAT --to $EXTERNAL_IP with $DMZ1, $DMZ2 and $INTERNAL being the different nets, e.g 10.12.25.0/24 and $EXTERNAL_IP being the address on the firewall that you want the clients to come through when going out on the Internet. And of course you'll have to adjust the targets, you most likely will want to jump to a chain with rules instead of to ACCEPT. And make those chains end in a DROP or something, otherwise packets might fall through and hit the DNAT-rule. Disclaimer: I haven't tested that this actually works (need to rebuild that testbox:-), but at least iptables doesn't complain when I try to add that kind of rules to my workstation.
I keep getting the impression that NAT is taking place at least for eth2; "interface 3 goes to the internal network (private IP addressing)"And if my reading is correct then it's likely 1:1 NAT rather then mere masq or other forms of NAT, which is really poorly documented in the linux/iptable literature. We found that some ip2route majik was required to do 1:1 NAT under iptables;
ip addr add {public address} dev ${outside}one such command per external address mapped to an inside private address, with pretty much open forwarding rules <-j ACCEPT>, in addition to the post/pre:routing rules within the iptable rulesets.
the documentation on functionality tween iptables and the various ip2route utilities is poor, lacking at best, but if one taps the right folks with the right info they can get some of the majik chants required. iptable specific issues are likely best addressed to the netfilter mailing list.
Of course, since we are reading here on the quick in work mode, perhaps I've missed something and am entirely off-base here.
Thanks, Ron DuFresne- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins <Still Life With Woodpecker> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDfgNest+vzJSwZikRAtMTAJ9LL5DcZBUVq0luXGxbGkcDHY0WdwCfR6El 1H4ztWfpEUgLRO+pxKaBKW0= =iSNJ -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Non-NAT Firewall Nathaniel Hall (Nov 10)
- Re: Non-NAT Firewall Devdas Bhagat (Nov 17)
- RE: Non-NAT Firewall Paul Melson (Nov 17)
- Re: Non-NAT Firewall Sigurd Urdahl (Nov 17)
- Re: Non-NAT Firewall Nathaniel Hall (Nov 17)
- Re: Non-NAT Firewall R. DuFresne (Nov 22)