D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

[LUG] iptables NAT problem?

 

Hi

Im sure this has worked for me in the past, but this time NAT doesn't work, i can't see whats wrong. any ideas?
The NAT firewall server is running CentOS 4.6 (Redhat Clone).

selinux is off

the 169.254 IP is for test purposes only

Was based on the following URL
http://www.cyberciti.biz/faq/linux-demilitarized-zone-howto/

my test script as follows:

#! /bin/bash

echo "1" > /proc/sys/net/ipv4/ip_forward
# echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# net.ipv4.ip_forward=1
# net.ipv4.conf.all.rp_filter=1
# net.ipv4.icmp_echo_ignore_broadcasts=1

IPTABLES="/sbin/iptables"
EXT_IP1="169.254.5.205";
INT_IP1="10.11.5.54";
EXTIF="eth0";
INTIF="eth1";

# iptables --flush # Flush all the rules in filter and nat tables
# iptables --table nat --flush
# iptables --delete-chain

# Delete all chains that are not in default filter and nat table
# iptables --table nat --delete-chain

iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

# Outside eth0 forward to int eth1 ##
iptables -A FORWARD -i eth0 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Route incoming HTTP (port 80 )
iptables -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXT_IP1 --dport 80 -j DNAT --to-destination $INT_IP1 iptables -t nat -A POSTROUTING -p tcp -o $INTIF -s $INT_IP1 -j SNAT --to-source $EXT_IP1

# Route incoming HTTPS (port 443 )
iptables -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXT_I/etP1 --dport 443 -j DNAT --to-destination $INT_IP1 iptables -t nat -A POSTROUTING -p tcp -o $INTIF -s $INT_IP1 --dport 443 -j SNAT --to $EXT_IP1

iptables -t nat -L


########################
#      script end      #
########################

At the end of the day i am trying to Proxy a hidden server to the web with out showing it's real network info.

I tried Squid as a reverse proxy, but found i could only get port 80 to proxy. I wanted port 21 and 443 to also proxy but wouldn't work. The SSL (443) cert is based on Domain name only so IP doesn't affect it as long as the domain name resolves to the external IP.

Network diagram attached

Regards

Sam

Attachment: LaCLUGnatQ.gif
Description: GIF image

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html