I have an IpCop server with two NICs (Red, Green). The internal NIC is 192.168.121.1 and the external NIC is 10.3.101.2. I would like all traffic from the Internal network (192.168.121.0) destine for the following Networks 192.168.1.0, 192.168.2.0 to NOT be NAT'd. I've done some research and found some things about Source NAT and Destination NAT, but I'm not sure this what I need. I'm familiar with this on PIXs but not a linux box. I've posted in this forum because this is out of the scope of IpCop. Thanks any help is greatly appreciated.

I'm not sure if this is different for IpCop but you should be able to simply add a rule at the top of the POSTROUTING chain which explicitly permits that traffic out without jumping to the MASQ target. Something like the below should do the trick:

iptables -t nat -I POSTROUTING 1 -d 192.168.2.0/24 -j ACCEPT
iptables -t nat -I POSTROUTING 1 -d 192.168.1.0/24 -j ACCEPT

Check out what the rules look like using:

iptables -t nat -Lnv

This will cause iptables to route traffic to those networks but not mangle any of the IP addresses along the way so you will need to have a means to reach those networks and routes for all three networks.

Hope that helps.

Jon Hannah
Sr. Network Engineer
jhannah@hostmysite.com
HostMySite.com

Thanks for the reply. I looked up this command in the iptables man pages and it makes sense to me and is what I'm looking for, but I would just like to verify. What is the 1 after the POSTROUTING?

iptables -t nat -I POSTROUTING 1 -d 192.168.2.0/24 -j ACCEPT
iptables -t nat -I POSTROUTING 1 -d 192.168.1.0/24 -j ACCEPT

Is that the interface that the packet is going out? Here is some info:

eth0 - RED Interface, external NIC - IP Address 10.3.101.2
eth1 - GREEN Interface, internal NIC - IP Address 192.168.121.1

Thanks again for the help. It would have took me forever to develop this.

The one after POSTROUTING puts the rule at the top of the POSTROUTING chain. This makes sure that the rule is processed before the default MASQ rule. That results in traffic to those networks not being NATed but everything else falling through to the default MASQ rule.