Hi all - this is my first post, however I read through the archives to see if something like this had been covered. I am a network tech with lots of Cisco and MS experience, but I am just branching into Linux stuff for some purposes.
I installed Red Hat 7.2 and upgraded the iptables in it to 1.2.5 without trouble (I compiled, I didn't use the RPM). I am converting an ISP connection that hosts an ASP server through a crappy little NetScreen (meant for 5 users) which doesn't support a bunch of the features I would like to put in. I had built a config file for iptables using examples, documentation and a book I bought. Didn't seem to be working, so I pared down the script to just do a single Nat translation to one of the servers behind the firewall which will be receiving and initiating connections. DMZ is the network with the computers that will be behind this firewall, LAN is connected to my machine only for admin purposes, INET is connected to internet. This is what my script looks like pared down to just try to do a single NAT: ########## #activate kernel forwarding echo 1>/proc/sys/net/ipv4/ip_forward #FLUSH AND SET POLICIES #remove existing rules /sbin/iptables --flush /sbin/iptables -t nat --flush /sbin/iptables -t mangle --flush #set default chain policies /sbin/iptables --policy INPUT ACCEPT /sbin/iptables --policy OUTPUT ACCEPT /sbin/iptables --policy FORWARD ACCEPT #SET CONSTANTS LOOPBACK_INTERFACE="lo" #loopback interface INET_INTERFACE="eth0" #internet-connected interface LAN_INTERFACE="eth2" #LAN-connected interface DMZ_INTERFACE="eth1" #DMZ-network connected interface LAN_ADDRESSES="192.168.41.0/24" #LAN Network DMZ_ADDRESSES="192.168.50.0/24" #DMZ Network INET_ADDRESSES="207.54.98.8/29" #INET Network PRIVPORTS="0:1023" #well-known, priviledged port range UNPRIVPORTS="1024:65535" #unpriviledged ports HUB_EX="207.54.98.12" #hub address external address HUB_INT="192.168.50.10" #hub internal address #enable loopback interface /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT #forward external address to internal address /sbin/iptables -t nat -A PREROUTING -i $INET_INTERFACE -d $HUB_EX -j DNAT --to $HUB_INT /sbin/iptables -t nat -A POSTROUTING -o $INET_INTERFACE -s $HUB_INT -j SNAT --to $HUB_EX #allow all connections from LAN interface /sbin/iptables -A INPUT -i $LAN_INTERFACE -j ACCEPT /sbin/iptables -A OUTPUT -o $LAN_INTERFACE -j ACCEPT ########### I also have a script to load the modules ########### #! /bin/bash /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_nat /sbin/modprobe ipt_state /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle #! /bin/bash ########### And some of those are for modules not being used by this script - but they were required for my previous script. This obviously isn't working since I am posting to this list. Am I missing something? I had rules to allow the traffic to the nat'ed address, but changed the default policy to accept to simplify while I troubleshoot. I would have thought this was all I needed - but apparently not - is there something (non-iptables) that I need to do to make a Nat translation like this work? My intent for testing is to connect to this machine on port 5555, but it is currently not working. Any help anyone can provide is appreciated. Thanks! Max Inglis
