Surely you want your firewall between your customers and the router (ie between your customers and the net.)
Internet | Router | - eth0 Firewall | - eth1 Internal Lan (presuming that the firewall is multihomed) if it's like this then all you need to do is iptables -A POSTROUTING -i eth1 -o eth0 -j MASQUERADE and add the forwarding rules iptables -A FORWARD -i eth1 -s 192.168.17.0/24 -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -d 192.168.17.0/24 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT and set the policies to drop anything else. i think this is correct, please inform me if it isn't HTH, charlie (ps NAT is ugly, maybe using a proxy would be more suitable) On Tue, 2003-05-27 at 16:27, Mark Devin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I have a setup which is confusing me regarding SNAT. > > Basically the network looks like: > - ------------ > | Firewall | > - ------------ > ~ | > ~ | > ~ ---------- > ~ | Router |-------------> Internet > ~ ---------- > ~ ||| > ~ ||| > ~ ---------------------------------------- > | Customers on 192.168.17.0/24 addresses | > ~ ---------------------------------------- > > Customers trying to connect to services on the internet send traffic to > the router which forwards it to the firewall box. The firewall box then > needs to NAT these packets and send them back out the same interface to > the router. The router then will send these packets (now with source > address of the firewall) out to the internet. > > How do you do this? Is it possible? > > I was thinking having a POSTROUTING rule like: > $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.17.0/24 \ > ~ -j SNAT --to-source $INET_IPADDR > > And then two FORWARD rules like: > $IPTABLES -A FORWARD -i eth0 -o eth0 -s 192.168.17.0/24 -j ACCEPT > $IPTABLES -A FORWARD -i eth0 -o eth0 -d 192.168.17.0/24 -j ACCEPT > > Notice that in interface and the out interface are both eth0. I am > confused about this. Can you even have a rule on the FORWARD chain > which goes in and out the same interface? > > If anyone can enlighten me I would be grateful. > > Regards. > Mark. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.1 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQE+0wVUL/zYpWVgapgRAmaJAJ0c0mHCnR9/E8o6LlMidVhk0Xas6QCcDWqe > lPJaGWutaWpgMtm1XwnvBFA= > =aTk+ > -----END PGP SIGNATURE----- > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
