Re: iptables DNAT
Right now i have a pppoe interface with 5 static ips on it. I have 5 servers one of which is the firewall/router/pppoe/iptables box.
So do you have the router/firewall setup with 5 external IPs assigned as aliases, like pppoe0:1, pppoe0:2, etc? And you want to map each external IP to an internal server using DNAT?
For some reason I cannot even ping the wan ip that I have put a DNAT entry in for.
You can't ping the external IPs from where, a remote host or from inside the LAN?
How do i configure DNAT?
The standard method is to just add a DNAT rule to the PREROUTING chain that redirects the packet to the internal machine, then add a forwarding rule to allow packets to pass from the external interface to the internal one: So for example, say we wanted to route incoming http traffic that is coming into the routers external interface (pppoe0) to an internal web server (xxx.xxx.xxx.xxx) our DNAT rule would look something like this:
iptables -t nat -A PREROUTING -i pppoe0 -p tcp --dport 80 -j DNAT --to-destination xxx.xxx.xxx.xxx
the rule to forward the http traffic from the external interface (pppoe0) to the internal one (eth0) would look like this:
iptables -A FORWARD -i pppoe0 -o eth0 -p tcp --dport 80 -j ACCEPT
in most situations you have to add another forwarding rule to allow traffic back out, but if you have SNAT working, then it sounds like you have that already functioning.
Do i need to put all the wan ips on an interface ?
Not quite sure what you mean here. Maybe you should explain?
It also will probably help alot if you post your current firewall rules, so we can see what you are working with. Make sure to remove any identifiable (public) IP addresses first.
|