CentOS - Oct 2010 - How to access one machine behind iptables, on different subnet?

Hi all,

I wonder if someone can help me with this: The setup is as follows:

192.168.1.254 - wireless ADSL modem, with DHCP pool on 192.168.100 - 192.168.200
192.168.1.250 - Linux firewall RED interface
192.168.2.250 - Linux firewall GREEN interface.

There are some normal LAN clients behind the Linux firewall's GREEN
interface, which can all access each other's shared services and also
all the clients behind the RED interface. i.e. those clients connected
to the 192.168.1.254 ADSL wifi APP directly.

Now I want the clients on the "outside" to connect to one specific
host on the inside, behind the GREEN interface, on IP 192.168.1.20.
How would I do that? I know I can do this with port fowarding, but
need many ports forwarded. How do I give full access to all ports on
this IP, instead of forwarding every port? Does that make sense?

Currently no clients on the 192.168.1.0 subnect can access any client
on the 192.168.2.0 subnet.



[root at intranet ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:tftp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:25151

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             192.168.122.0/24    state
RELATED,ESTAB
                           LISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere
reject-with icmp-po
                                 rt-unreachable
REJECT     all  --  anywhere             anywhere
reject-with icmp-po
                                 rt-unreachable
ACCEPT     all  --  192.168.2.0/24       anywhere
ACCEPT     all  --  anywhere             192.168.2.0/24

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root at intranet ~]# route -nv
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth1
0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 eth0


The Linux firewall runs CentOS 5.5. x64

[root at intranet ~]# cat /etc/redhat-release
CentOS release 5.5 (Final)

[root at intranet ~]# iptables -V
iptables v1.3.5

-- 
Kind Regards
Rudi Ahlers
SoftDux

Website: http://www.SoftDux.com
Technical Blog: http://Blog.SoftDux.com
Office: 087 805 9573
Cell: 082 554 7532

On Friday 29 October 2010 04:22:52 Rudi Ahlers wrote:
> How do I give full access to all ports on  this IP, instead of forwarding
> every port?
Sure. That's called One-to-One NAT.  You'll do something like this:

iptables -t nat -I PREROUTING -d 192.168.1.20 -j DNAT --to-destination $GREEN

...where $GREEN is one ip on your 192.168.2.x network.  Then make sure you 
have the proper "allow" rules on the INPUT chain for your LAN ip
($GREEN).

The above was for ingress traffic.  Now, for egress traffic (for this internal
LAN
ip) you'll need to perform NAT as well:

iptables -t nat -A POSTROUTING -s $GREEN -j SNAT --to-source 192.168.1.20

Check out: 

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables


HTH,
Jorge

On 10/29/2010 3:22 AM, Rudi Ahlers wrote:
> Hi all,
>
> I wonder if someone can help me with this: The setup is as follows:
>
> 192.168.1.254 - wireless ADSL modem, with DHCP pool on 192.168.100 -
192.168.200
> 192.168.1.250 - Linux firewall RED interface
> 192.168.2.250 - Linux firewall GREEN interface.
>
> There are some normal LAN clients behind the Linux firewall's GREEN
> interface, which can all access each other's shared services and also
> all the clients behind the RED interface. i.e. those clients connected
> to the 192.168.1.254 ADSL wifi APP directly.
>
> Now I want the clients on the "outside" to connect to one
specific
> host on the inside, behind the GREEN interface, on IP 192.168.1.20.
> How would I do that? I know I can do this with port fowarding, but
> need many ports forwarded. How do I give full access to all ports on
> this IP, instead of forwarding every port? Does that make sense?
<snip>
Not much of a firewall if you allow everything, unless you're limiting 
the "outside" IPs.

Other solutions would be to allow either a range of ports.
Ex
--dport 5000:5500
--dport 1024:65535 (all unassigned ports)

or define the ports you wish to allow with a variable
Ex
FORWARDPORTS="1024 1025 1026"

even a hybred like this should work
Ex
FORWARDPORTS="1024 1025 1026 5000:5500"
Then call the variable in your forward rules.

Dan