How to access one machine behind iptables, on different subnet?

10-29-2010, 08:22 AM

Hi all,

I wonder if someone can help me with this: The setup is as follows:

192.168.1.254 - wireless ADSL modem, with DHCP pool on 192.168.100 - 192.168.200
192.168.1.250 - Linux firewall RED interface
192.168.2.250 - Linux firewall GREEN interface.

There are some normal LAN clients behind the Linux firewall's GREEN
interface, which can all access each other's shared services and also
all the clients behind the RED interface. i.e. those clients connected
to the 192.168.1.254 ADSL wifi APP directly.

Now I want the clients on the "outside" to connect to one specific
host on the inside, behind the GREEN interface, on IP 192.168.1.20.
How would I do that? I know I can do this with port fowarding, but
need many ports forwarded. How do I give full access to all ports on
this IP, instead of forwarding every port? Does that make sense?

Currently no clients on the 192.168.1.0 subnect can access any client
on the 192.168.2.0 subnet.

[root@intranet ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:tftp
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:25151

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state
RELATED,ESTAB
LISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere
reject-with icmp-po
rt-unreachable
REJECT all -- anywhere anywhere
reject-with icmp-po
rt-unreachable
ACCEPT all -- 192.168.2.0/24 anywhere
ACCEPT all -- anywhere 192.168.2.0/24

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@intranet ~]# route -nv
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0

The Linux firewall runs CentOS 5.5. x64

[root@intranet ~]# cat /etc/redhat-release
CentOS release 5.5 (Final)

[root@intranet ~]# iptables -V
iptables v1.3.5

--
Kind Regards
Rudi Ahlers
SoftDux

Website: http://www.SoftDux.com
Technical Blog: http://Blog.SoftDux.com
Office: 087 805 9573
Cell: 082 554 7532
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

10-29-2010, 12:10 PM

On Friday 29 October 2010 04:22:52 Rudi Ahlers wrote:
> How do I give full access to all ports on this IP, instead of forwarding
> every port?

Sure. That's called One-to-One NAT. You'll do something like this:

iptables -t nat -I PREROUTING -d 192.168.1.20 -j DNAT --to-destination $GREEN

...where $GREEN is one ip on your 192.168.2.x network. Then make sure you
have the proper "allow" rules on the INPUT chain for your LAN ip ($GREEN).

The above was for ingress traffic. Now, for egress traffic (for this internal LAN
ip) you'll need to perform NAT as well:

iptables -t nat -A POSTROUTING -s $GREEN -j SNAT --to-source 192.168.1.20

Check out:

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptable s

HTH,
Jorge
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos