/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Nicolas Gosselin <[EMAIL PROTECTED]> wrote:
>
> eth0 is external (public ip)
> eth1 is external (public ip)
> eth2 is internal (private ip, 192.x.x.x)
Do you really need to have TWO different external interfaces? You could
have just one, and assign two IP's to it.
The problem with two interfaces is that you need some mechanism to
select which interface the traffic will be sent out. Iptables does not
set routing policy. It can modify packets and it can allow or disallow
them, but the routing DECISION is made by route tables, not by iptables.
To really do what you want, you would need some package such as
iproute2, which can specify source-routing (traffic from internal server
gets routed through second interface, everything else routes through
first interface). Then you can write iptables rules that respond to
those routing decisions and do the right thing.
However, if you have only ONE external interface, with two different
IP's, then a simple default route is sufficient to route the traffic,
and you can still write iptables rules to determine which of the two
IP's will be assigned to outgoing traffic.
I will write some rules that assume there are only two interfaces:
INTIF=(name of internal interface)
EXTIF=(name of external interface)
EXTIPONE=(first ip of external interface)
EXTIPTWO=(second ip of external interface)
INTNET=(pattern that describes internal network, eg. 192.168.1.0/24)
INTIPSERVER=(ip of internal server)
> I have eth0 using SNAT to allow the workstations out on one ip.
>
> I am trying to have the server on the internal network use the
> external ip that eth1 has when it pushes traffic out, as well as when
> it receives traffic since its a server, http, etc etc)
First you need to allow traffic through the FORWARD chain:
iptables -P FORWARD DROP
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
iptables -A FORWARD -i $EXTIF -o $INTIF -m state \
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXTIF -o $INTIF \
-p tcp -d $EXTIPTWO --dport $PORT -j ACCEPT
iptables -A FORWARD -j LOG
Any traffic going from internal to external is allowed.
Any traffic going from external to internal is allowed if it is part of
an established connection.
Any traffic going from external to internal, and which has a destination
IP of $EXTIPTWO and a destination port of $PORT, is also accepted. You
should have one or more rules like this in order to allow your server to
accepting incoming connections on various ports.
All other traffic is logged and dropped.
Next you need some rules to NAT traffic (SNAT for outgoing, DNAT for
incoming):
iptables -t nat -A PREROUTING -i $EXTIF \
-p tcp -d $EXTIPTWO --dport $PORT \
-j DNAT --to $INTIPSERVER
iptables -t nat -A POSTROUTING -o $EXTIF -s $INTIPSERVER \
-j SNAT --to $EXTIPTWO
iptables -t nat -A POSTROUTING -o $EXTIF -s $INTNET \
-j SNAT --to $EXTIPONE
The PREROUTING rule will DNAT traffic to the internal server, if it was
destined for external IP 2, and destined for $PORT. You should repeat
this rule for each port you are allowing in, and make sure the
corresponding rule in the FORWARD chain also permits the traffic. If
you have a lot of ports, either use port ranges, or "-m multiport", or
multiple rules, whichever is convenient.
The POSTROUTING rules are in a particular order. If traffic is leaving
and it comes from our internal server, it it SNAT'd behind IP address 2.
All other hosts are SNAT'd behind IP address 1.
If you really have a need to have two physical interfaces, then these
rules will not work, but it is not the fault of iptables. You will need
an enhanced routing package that allows source-routing in order to
direct traffic to the appropriate interface; once you have that, the
iptables rules will be simple to put together.
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Good judgment comes from experience.
sometimes known as David DeSimone || Experience comes from bad judgment."
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
