[Wolves] NAT

Martyn Carey lists at kryogenix.co.uk
Fri Sep 10 18:22:02 BST 2004


Ip tables is great if you hae the time!
Smoothwall is the way forward. You only need two Nics for your rush job. 
NIC1 Green interface i.e on your lan give your pcs this as their gateway 
jobs a good un

Nic 2 Red interface one of your 32 ips available from the pix box the 
gateway of this nic should then be the Pix box. Jobs a good un
no auditor will catch u out!

The next thing to worry about is what ports u want allowed into your lan if 
any?

Hope this is what u are thinking!
----- Original Message ----- 
From: "James Turner" <james at turnersoft.co.uk>
To: "Wolverhampton Linux User Group" <wolves at mailman.lug.org.uk>
Sent: Friday, September 10, 2004 5:50 PM
Subject: Re: [Wolves] NAT


> On Friday 10 Sep 2004 13:35, Simon Burke wrote:
>> Hi, just a quick one,
>> I have a redunant machine, well its a 2.4 GHz P4 and i have a gaping
>> hole ion my network where i need to perform NAT between a router and
>> the network. Any ideas?
>>  which i can simply setup, it would need to be done quickly as our
>> company is being audited on wenesday, and my botchitng wont hold up to
>> scruitiny at the momment.
>>
>> I though smoothwall but it never works for me, well it installs but
>> that about it :(( mandreake MNF hate me as last itme i used it I had
>> two identical NIC's so i didnt know which i was setting up.
>>
>> If all else fails, i need to go out and bnuy a cheap ADSL router which
>> can perform NAT, again any idea??
>
> NAT should be quite easy to set up on any distro where the kernel is 
> compiled
> with iptables and NAT support. That should get you going for a quick fix,
> though you may want to consider a distro which is designed specifically 
> for
> high security applications for a longer-term solution.
>
> Here's a script for the following scenario:
>
> - NAT routing between two Ethernet cards:
>    - 192.168.0.0/24     - LAN "inside" the NAT, connected to eth0
>    - 192.168.0.1        - IP address of firewall on internal LAN
>    - 123.123.123.123    - "outside" IP address, connected to eth1
> - Port forwarding of TCP port 80 to a web server called "web1" inside the 
> LAN
>
> #! /bin/sh
> # Reset any old rules that may be present
> iptables -X
> iptables -F
> iptables -t nat -X
> iptables -t nat -F
>
> # Set default policies - drop all incoming packets unless otherwise 
> indicated,
> # forwarding and outgoing packets both allowed
> iptables -P INPUT DROP
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
>
> # allow incoming data from LAN
> iptables -A INPUT -s 192.168.0.0/24 -p all -i eth0 -j ACCEPT
>
> # Masquerading for LAN
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 123.123.123.123
>
> # Enable IP forwarding between interfaces (routing)
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> # Port forward TCP/80 to web server "web1"
> iptables -t nat -A PREROUTING -p tcp -d 123.123.123.123 --dport http -j 
> DNAT
> --to web1:80
>
>
> If any of it works, I accept payment in curry, pint-cokes and old computer
> junk (preferably ex-server junk). :)
>
> James
>
> _______________________________________________
> Wolves LUG mailing list
> Homepage: http://www.wolveslug.org.uk/
> Mailing list: Wolves at mailman.lug.org.uk
> Mailing list home: http://mailman.lug.org.uk/mailman/listinfo/wolves
>
> 




More information about the Wolves mailing list