Syntax/NAT OUTPUT

[Tim]

Scenario: router eth0 to Fwall 192.168.2.2                Fwall eth0 from router 192.168.2.1                Fwall eth1 from DMZ 172.16.1.1                  Fwall eth2 from LAN 192.168.1.1   My understanding of concepts of filtering and nat   Pinging from the router eth0 thu Fwall eth2 to LAN, it first goes through PREROUTING nat table then the filter INPUT----this the path it takes to get to any box in the LAN .....yes ?   To get a reply from this ping it must go thru the NAT OUTPUT then filter OUTPUT.....this is my understanding of the return path for this ping from the router eth0.....is this correct so far ? If so what would be the syntax for the NAT OUTPUT in order to get and echo-reply. This is the portion of the script for my NAT configuration.   Mind, ppl, I just started leaning this........any suggestion will most certainly be welcomed and appreciated...TIA...   --snip-- ## PREROUTING ## iptables -A PREROUTING -t nat -s 192.168.2.0/24 -d 192.168.1.0/24 -j DNAT --to 192.168.1.0 ## POSTROUTING ## iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -d 192.168.2.0/24 -j SNAT --to 192.168.2.0 # ## NAT OUTPUT ## iptables -A OUTPUT -t nat -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT             ## It looks like this is where the problems is at, syntax ?? ## # # ## FORWARD traffic between INTERNAL and DMZ iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT iptables -A FORWARD -p icmp --icmp-type echo-reply -j ACCEPT                            ## This should enable me to forward ping request and replies iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT        ## universally.....yes...??## # ## INPUT manage traffic coming into this box ## #iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth2 -p icmp -j ACCEPT iptables -A INPUT -i eth0 -p icmp -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i eth0 -s 192.168.2.2 -d 192.168.1.0/24 -p icmp -j ACCEPT     ## I configured this in order to ping the eth0 on the router ## #                                                                                                                                               ## and it works fine.....this is where it stops, it has no way ## ## OUTPUT manage traffic going out of this box ##                                                      ## to reply to this packet hence forth my dilemma ##  #iptables -A OUTPUT -o eth2 -s 192.168.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT #iptables -A OUTPUT -o eth2 -s 192.168.1.0/24 -p icmp --icmp-type echo-reply -j ACCEPT #iptables -A OUTPUT -o eth1 -s 172.16.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT #iptables -A OUTPUT -o eth1 -s 172.16.1.0/24 -p icmp --icmp-type echo-reply -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o eth0 -s 192.168.1.0/24 -j ACCEPT --snip-- --- Tim Rodriguez -- Mia/Fla. Network Security Student --- I prefer to be a dreamer   among the humblest, with visions to be realized, than a lord among those without   dreams and desires.