On Tuesday 26 February 2002 03:18 pm, S�bastien FOUTREL aka Tino wrote:
> netstat -nr
> xxx.xxx.xxx.112 0.0.0.0 255.255.255.252 U 40 0
> 0 eth1 (External)
> xxx.xxx.xxx.112 0.0.0.0 255.255.255.240 U 40 0
> 0 eth2 (DMZ)
> 10.0.0.0 0.0.0.0 255.0.0.0 U
> 40 0 0 eth0 (LAN)
> 127.0.0.0 0.0.0.0 255.0.0.0 U
> 40 0 0 lo
> 0.0.0.0 xxx.xxx.xxx.113 0.0.0.0 UG 40
> 0 0 eth1
>
> I wants to have a LAN machine visible on Internet with a public IP
> but all i can do is a NATed machine that is visible on internet with a
> public ip BUT which has acces to internet via the gateway of the LAN
> instead of using its Public IP...
>
> In fact i think I need a 2 way NAT.
|
| eth1 External (Internet) ext_ip,ext_ip1,ext_ip2 ... (aliases)
------ -------
| LFW | ----------- eth2 DMZ dmz_ip ----| DMZ |
------- --------
|
| eth0 LAN
--------
| LAN |
--------
|
---
| PC | pc_ip=10.0.0.XXX
----
Suppos that ext_ip1 is your public IP which you want to use to access your PC
on LAN.
To have an internal PC accesable from Internet you nead DNAT and SNAT
iptables -t nat -A PREROUTING --destination $ext_ip1 --in-interface eth1
--jump DNAT --to-destination $pc_ip
iptables -t nat -A POSTROUTING -s $pc_ip --out-interface eth1 --jump SNAT
--to-source $ext_ip1
Note ext_ip1 should be one of the IPs eth1 interface card.
And of course in FORWARD chain allow access
### incomming connection to your PC
iptables --table filter --append FORWARD --in-interface eth1
--out-interface eth0 --destination $ext_ip1 --jump ACCEPT
### outgoing connections from your PC to Internet
iptables --table filter --append FORWARD --in-interface eth0
--out-interface eth1 --source $ps_ip --jump ACCEPT
this allows everything to your PC!
Best regards.
Erdal MUTLU
