From: Dave H. <dh...@se...> - 2005-09-21 01:56:35
|
Hi. I've used this method someone suggested of keeping ip addresses real in packets setn from green to orange, where they are also forwarded from red to orange. The idea is that certain green IPs are not allowed certain functions and the server in the DMZ should know which machine is calling it. Without the following in rc.local, every such request appears to come from 192.168.1.1, the green interface. I didn't write it, and only barely understand it. From rc.local: # Fix Forwarding from GREEN to ORANGE, so that forwarded IP addresses remain true. iptables -t nat -F CUSTOMPOSTROUTING iptables -t nat -A CUSTOMPOSTROUTING -m mark --mark 42 -j SNAT --to-source 192.168.10.2 iptables -t mangle -F PREROUTING iptables -t mangle -A PREROUTING -p tcp -i eth0 -d 10.0.0.1 -j MARK --set-mark 42 iptables -t nat -D POSTPORTFW -s 192.168.1.0/24 -d mail-server -p tcp --dport 25 -j SNAT --to-source 192.168.1.1 iptables -t nat -D POSTPORTFW -s 192.168.1.0/24 -d mail-server -p tcp --dport 110 -j SNAT --to-source 192.168.1.1 iptables -t nat -D POSTPORTFW -s 192.168.1.0/24 -d mail-server -p tcp --dport 80 -j SNAT --to-source 192.168.1.1 There is a corresponding red->orange forward in the Port Forward admin page for each of these (and plenty more). The idea is that laptop users can use the red ip address for these services whether inside or outside, whether they are forwarded to orange or green was up to IPCop. It works great. I also have a port listed in the forwarding page which goes to green. Again, requests to the red address worked from inside or outside. Since updating from 1.4.6 to 1.4.8, this red to green translation (originating from inside green) no longer works using the red address. Requests from green to orange still work using the red IP. However, there's nothing in the firewall log about it. Yes, I know it's a bit of a mess to get your head around. Can anyone suggest what sort of mod I'd need to the code since whatever has changed in 1.4.8? -- Dave Harry |