Error in NAT rule with iptables? wrong NIC?

subnetting
2013-01-14
2013-03-05
  • subnetting
    subnetting
    2013-01-14

    Hi,

    In a firewall with 4 NICs when I create a NAT rule for my DMZ-Ext and one for my DMZ-Int I obtain an expected result but when I create one rule with network objects (dmz-ext and dmz-int) in src i have a different result:

    Firewall:
    eth0 -> wan and IP address 192.168.0.205
    eth1 -> lan and IP address 192.168.2.205
    eth2 -> dmz-ext and IP address 192.168.3.205
    eth3 -> dmz-int and IP address 192.168.4.205

    FW / NAT / rule 1 -> SNAT for the DMZ-ext:
    DMZ-Ext in Original Src and FW object in Translated Src

    echo "Rule 1 (NAT)"
    #
    $IPTABLES -t nat -A POSTROUTING -o eth0   -s 192.168.3.0/24  -j SNAT -to-source 192.168.0.205
    $IPTABLES -t nat -A POSTROUTING -o eth1   -s 192.168.3.0/24  -j SNAT -to-source 192.168.2.205
    $IPTABLES -t nat -A POSTROUTING -o eth3   -s 192.168.3.0/24  -j SNAT -to-source 192.168.4.205

    FW / NAT / rule 2  -> SNAT for the DMZ-ext
    DMZ-Int in Original Src and FW object in Translated Src

    echo "Rule 2 (NAT)"
    #
    # Translate source address
    # for outgoing connections
    $IPTABLES -t nat -A POSTROUTING -o eth0   -s 192.168.4.0/24  -j SNAT -to-source 192.168.0.205
    $IPTABLES -t nat -A POSTROUTING -o eth1   -s 192.168.4.0/24  -j SNAT -to-source 192.168.2.205
    $IPTABLES -t nat -A POSTROUTING -o eth2   -s 192.168.4.0/24  -j SNAT -to-source 192.168.3.205

    But when I create one rule with DMZ-Ext and DMZ-Int object in Original src and FW object in Translated Src:
    $IPTABLES -t nat -A POSTROUTING -o eth0   -s 192.168.3.0/24  -j SNAT -to-source 192.168.0.205
    $IPTABLES -t nat -A POSTROUTING -o eth1   -s 192.168.3.0/24  -j SNAT -to-source 192.168.2.205
    $IPTABLES -t nat -A POSTROUTING -o eth3   -s 192.168.3.0/24  -j SNAT -to-source 192.168.4.205
    $IPTABLES -t nat -A POSTROUTING -o eth0   -s 192.168.4.0/24  -j SNAT -to-source 192.168.0.205
    $IPTABLES -t nat -A POSTROUTING -o eth1   -s 192.168.4.0/24  -j SNAT -to-source 192.168.2.205
    $IPTABLES -t nat -A POSTROUTING -o eth3   -s 192.168.4.0/24  -j SNAT -to-source 192.168.4.205  <--- ERROR??

    I think the last line is wrong. I think the line should be -o eth2 and -to-source 192.168.3.205 (as occurs when I create the rules one for each object)

    Is it an fwbuilder error? Is it mine?

    Salutes from Spain and thank you very much for your great job.
    Manuel