[Wolves] NAT
James Turner
james at turnersoft.co.uk
Fri Sep 10 18:01:23 BST 2004
On Friday 10 Sep 2004 13:35, Simon Burke wrote:
> Hi, just a quick one,
> I have a redunant machine, well its a 2.4 GHz P4 and i have a gaping
> hole ion my network where i need to perform NAT between a router and
> the network. Any ideas?
> which i can simply setup, it would need to be done quickly as our
> company is being audited on wenesday, and my botchitng wont hold up to
> scruitiny at the momment.
>
> I though smoothwall but it never works for me, well it installs but
> that about it :(( mandreake MNF hate me as last itme i used it I had
> two identical NIC's so i didnt know which i was setting up.
>
> If all else fails, i need to go out and bnuy a cheap ADSL router which
> can perform NAT, again any idea??
NAT should be quite easy to set up on any distro where the kernel is compiled
with iptables and NAT support. That should get you going for a quick fix,
though you may want to consider a distro which is designed specifically for
high security applications for a longer-term solution.
Here's a script for the following scenario:
- NAT routing between two Ethernet cards:
- 192.168.0.0/24 - LAN "inside" the NAT, connected to eth0
- 192.168.0.1 - IP address of firewall on internal LAN
- 123.123.123.123 - "outside" IP address, connected to eth1
- Port forwarding of TCP port 80 to a web server called "web1" inside the LAN
#! /bin/sh
# Reset any old rules that may be present
iptables -X
iptables -F
iptables -t nat -X
iptables -t nat -F
# Set default policies - drop all incoming packets unless otherwise indicated,
# forwarding and outgoing packets both allowed
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# allow incoming data from LAN
iptables -A INPUT -s 192.168.0.0/24 -p all -i eth0 -j ACCEPT
# Masquerading for LAN
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 123.123.123.123
# Enable IP forwarding between interfaces (routing)
echo 1 > /proc/sys/net/ipv4/ip_forward
# Port forward TCP/80 to web server "web1"
iptables -t nat -A PREROUTING -p tcp -d 123.123.123.123 --dport http -j DNAT
--to web1:80
If any of it works, I accept payment in curry, pint-cokes and old computer
junk (preferably ex-server junk). :)
James
More information about the Wolves
mailing list