My setup: eth0 is a routable public IP. eth1 is a private LAN (172.16.31.0/24). eth2 is a publicly routable address block from my ISP. Is it possible to only NAT outgoing connections from eth1? I would like for the block on eth2 to expose their correct public IP when connecting out. Currently, these connections are also NAT'ed and so it looks like all connections are coming from the address on eth0. I'm using iptables MASQUERADE to do the NATing: I'm thinking this could be done using some combination of other chains, but I'm not sure the correct combination. Advise is appreciated.

Hi,

This might not be of much help to you. But this is possible and should be fairly easy. I don't ever manually change the iptables myself. I have shorewall installed on all my firewall systems. It is a front end to iptables and makes everything so much easier.

You would just add the line below to /etc/shorewall/masq file.

eth0 eth1

or

eth0 172.16.31.0/24

That's all it takes.

Cheers,

I have a different perspective than xnomad; I like to know what is actually happening in the iptables ruleset, and I find shorewall to be an irritant. Therefore, I recommend the following amendment to your NAT rule:This rule will accomplish the NAT only for your private network address block, and will forward stuff from eth2 (which has IP addresses outside the specified block) unmolested.

Parenthetically, the MASQUERADE target is really only intended for use on Internet connection links that are subject to changeable IP addresses (like dial-up lines). The distinction between MASQUERADE and SNAT is that connections are remembered when a link goes down under SNAT, but are forgotten under MASQUERADE. So if you have a DHCP link that goes down a lot, use MASQUERADE; if the IP of eth0 is constant, use SNAT.

<edit>
Err... whoops nm. Yup, that did the trick. Thanks!
</edit>