iptables DNAT with 2 firewalls 2 networks

dales79 · 02-07-2006, 07:02 AM

Hi

I have two firewalls, f1 and f2. Each firewall is connected to each other via eth1. And each firewall as a web server/client machine attached to it via eth0 c1 (connected to f1 eth0) and c2 (connected to f2 eth0).

I am having trouble configuring each firewall so that client1 can read web pages stored on client2 and vice versa.

I have the following ip addresses:
f1 eth1 = 193.63.1.1
f1 eth0 = 192.168.1.10

f2 eth1 = 193.63.1.2
f2 eth0 = 192.168.2.10

c1 eth0 = 192.168.1.1
c1 Default Gateway = 192.168.1.10

c2 eth0 = 192.168.2.1
c2 Default Gateway = 192.168.2.10

I have enabled ip forwarding and am hoping that the following scripts will work - can someone just take a look and let me know if the ipaddresses are in the right places or if something is wrong - what is wrong?:

F1:
iptables -t nat -A POSTROUTING -s 192.168.1.0/16 -j SNAT -o eth1 --to-source 193.63.1.1
and
iptables -t nat -A PREROUTING -d 193.63.1.1 -i eth1 -p TCP --dport 80 -j DNAT --to-destination 192.168.1.1

F2:
iptables -t nat -A POSTROUTING -s 192.168.2.0/16 -j SNAT -o eth1 --to-source 193.63.1.2
and
iptables -t nat -A PREROUTING -d 193.63.1.2 -i eth1 -p TCP --dport 80 -j DNAT --to-destination 192.168.2.1

I am not really to sure if the ipaddresses are correct - for example should the source ip address of f1 be of the f2 machine instead?

Please help

Thanks in advance - I really appreciate it.

Sam

win32sux · 02-07-2006, 01:58 PM

Quote:

Originally Posted by dales79

Hi

I have two firewalls, f1 and f2. Each firewall is connected to each other via eth1. And each firewall as a web server/client machine attached to it via eth0 c1 (connected to f1 eth0) and c2 (connected to f2 eth0).

I am having trouble configuring each firewall so that client1 can read web pages stored on client2 and vice versa.

I have the following ip addresses:
f1 eth1 = 193.63.1.1
f1 eth0 = 192.168.1.10

f2 eth1 = 193.63.1.2
f2 eth0 = 192.168.2.10

c1 eth0 = 192.168.1.1
c1 Default Gateway = 192.168.1.10

c2 eth0 = 192.168.2.1
c2 Default Gateway = 192.168.2.10

I have enabled ip forwarding and am hoping that the following scripts will work - can someone just take a look and let me know if the ipaddresses are in the right places or if something is wrong - what is wrong?:

F1:
iptables -t nat -A POSTROUTING -s 192.168.1.0/16 -j SNAT -o eth1 --to-source 193.63.1.1
and
iptables -t nat -A PREROUTING -d 193.63.1.1 -i eth1 -p TCP --dport 80 -j DNAT --to-destination 192.168.1.1

F2:
iptables -t nat -A POSTROUTING -s 192.168.2.0/16 -j SNAT -o eth1 --to-source 193.63.1.2
and
iptables -t nat -A PREROUTING -d 193.63.1.2 -i eth1 -p TCP --dport 80 -j DNAT --to-destination 192.168.2.1

I am not really to sure if the ipaddresses are correct - for example should the source ip address of f1 be of the f2 machine instead?

Please help

Thanks in advance - I really appreciate it.

Sam

IMHO it should look like this instead:

FIREWALL 1:

Code:

iptables -P FORWARD DROP

iptables -t nat -A POSTROUTING -o eth1 -j SNAT \
--to-source 193.63.1.1

iptables -t nat -A PREROUTING -p TCP -i eth1 -d 193.63.1.1 \
--dport 80 -j DNAT --to-destination 192.168.1.1

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -m state --state NEW -j ACCEPT

iptables -A FORWARD -i eth1 -o eth0 -p TCP -d 192.168.1.1 \
--dport 80 -m state --state NEW -j ACCEPT

FIREWALL 2:

Code:

iptables -P FORWARD DROP

iptables -t nat -A POSTROUTING -o eth1 -j SNAT \
--to-source 193.63.1.2

iptables -t nat -A PREROUTING -p TCP -i eth1 -d 193.63.1.2 \
--dport 80 -j DNAT --to-destination 192.168.2.1

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -m state --state NEW -j ACCEPT

iptables -A FORWARD -i eth1 -o eth0 -p TCP -d 192.168.2.1 \
--dport 80 -m state --state NEW -j ACCEPT

remember to flush your chains before you set your rules...

also, it's a good idea to set the "rp_filter" kernel option:

Code:

echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

dales79 · 02-07-2006, 02:57 PM

Thank you so much - it is everything I needed!