Home / server / Questions / 243293
Accepted
VP.
Asked: 2011-03-05 08:51:10 +0800 CST

iptables question

  • 772

i have a small network, with one valid IP and a firewall with 3 network interfaces (LAN, WAN, DMZ).

  • I want to enable PAT on this valid IP to redirect http traffic to a server in my DMZ. (done)
  • I want to enable MASQ on this ip from traffic that comes from my LAN (done)
  • I want from my LAN as well to access my http server at DMZ. (partially)

Question:

in the above scenario, i cannot from my LAN, to access my http server in the DMZ, since it has the IP used by the MASQ (the only valid ip that i have). What would be the best option to solve this problem?

network interfaces:

  • eth0 (WAN)
  • eth1 (DMZ)

  • eth2 (LAN)

    /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    /sbin/iptables -A FORWARD --o eth1 -d 2.2.2.2 -p tcp --dport 80 -j ACCEPT

    /sbin/iptables -t nat -A PREROUTING -i eth0 -d 1.1.1.1 -p tcp --dport 80 -j DNAT --to 2.2.2.2

    /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

    /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

    /sbin/iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT

linux networking nat iptables

3 Answers

  1. Sounds like you are just having the standard hairpin NAT issue.

    A common solution to the problem is to give your host in the DMZ an a private IP, on a different subnet, and setup split DNS. You server the private address to the internal hosts, and the external hosts will get the public address. You then have firewall rules to permit internal clients to the private DMZ subnet, and you have a NAT, and rule to forward from the address/port from to the web server in your DMZ.

    • 3

  2. As an example of a problem that could be caused by topology - if your internal networks DMZ and LAN are using overlapping subnets, then this could cause the problem you are seeing because the LAN machine would not send packets destined for the DMZ machine to the firewall/default route (since it would think the DMZ machine is local).

    That said, you said that browsing from your LAN to 1.1.1.1:80 is not working. That makes sense because your DNAT rule is restricted to packets that come in eth0 (the -i eth0), so it won't DNAT packets coming from eth2 and headed to 1.1.1.1:80. I don't see a good reason to restrict that PREROUTING rule to a specific ethernet interface.

    Does hitting 2.2.2.2:80 work from the LAN host?

    • 2
  3. Best Answer

    I'm a bit confused with your explanation. So I'll just use a sample scenario here:

    • eth0 = WAN = 123.11.22.33
    • eth1 = DMZ = 192.168.1.0/24
    • eth2 = LAN = 172.16.0.0/16

    And the webserver is given 192.168.1.55

    # First, allow LAN & DMZ to access the outside world
-t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Now, allow outside access to the webserver
-t nat -A PREROUTING -i eth0 -d 123.11.22.33 -p tcp --dport 80 -j DNAT --to 192.168.1.55:80
# Finally, allow forwarding
-A FORWARD -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -d 191.168.1.55 -p tcp --dport 80 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth2 -j ACCEPT

    If you need more security, feel free to expand the last two lines above, e.g.:

    -N eth1_fwd
-N eth2_fwd
-A FORWARD -i eth1 -g eth1_fwd
-A FORWARD -i eth2 -g eth2_fwd
-A eth1_fwd -s ...... -j ACCEPT
...
-A eth2_fwd -s ...... -j ACCEPT
...

    Hope this helps. Don't forget to add a default route toward the default gateway of eth0 :)

    edit: oops, wrong ifaces on the later rules

    • 2