September 04, 2002

At last, I have figured

At last, I have figured out how to get externally-mapped-in-a-1-to-1-NAT-fashion IP address to work from the inside.

So, let's say that you have 4 external IP addresses (as I do), and you have already done 1-to-1 NAT for 3 of them, enabling you to basically treat 3 of your internal machines as if they were directly on the Internet. But the problem is, from the inside (say, from machine A to machine B), you can't use the external IP addresses, because the packets go to your linuxbox-router and die there.

Well, it'd been on the tip of my tongue for a long time now, but I finally was able to verbalize the iptables rules needed to get the linuxbox to SNAT and DNAT the packets as appropriate. Here's my ruleset for this purpose:



###############################################################################

###############################################################################

        # One-to-One Mapping (Inbound from inside)



   # If it is going out the internal interface, and is coming from an internal IP

   # then change it to look like it's coming from the appropriate external IP

   ##========================================================================##

        $IPTABLES -t nat -A POSTROUTING -o $INTERNAL -s $JWIZ -j SNAT --to $EXT_IP_JWIZ

        $IPTABLES -t nat -A POSTROUTING -o $INTERNAL -s $SPELLBOUND -j SNAT --to $EXT_IP_SPELLBOUND

        $IPTABLES -t nat -A POSTROUTING -o $INTERNAL -s $ZIPPY -j SNAT --to $EXT_IP_BONUS



   # Do the same thing for non 1-to-1 mapped IPs

   # e.g. if they were pinging $EXT_IP_JWIZ from inside, this will make it work

   ##========================================================================##

        $IPTABLES -t nat -A POSTROUTING -o $INTERNAL -s $INTERNAL_NET -j SNAT --to $EXT_IP






   # If it came in on the internal interface, and is going to an external IP

   # then change it to go to an internal IP, just as you do for packets that

   # came in on the external interface

   ##========================================================================##



        $IPTABLES -t nat -A PREROUTING -i $INTERNAL -d $EXT_IP_JWIZ -j DNAT --to $JWIZ

        $IPTABLES -t nat -A PREROUTING -i $INTERNAL -d $EXT_IP_SPELLBOUND -j DNAT --to $SPELLBOUND

        $IPTABLES -t nat -A PREROUTING -i $INTERNAL -d $EXT_IP_BONUS -j DNAT --to $ZIPPY

   ##========================================================================##



###############################################################################

###############################################################################

Posted by jshare at September 4, 2002 11:29 PM

Comments
Post a comment









Remember personal info?