LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-21-2005, 10:41 AM   #1
alec77
LQ Newbie
 
Registered: Jul 2004
Posts: 12

Rep: Reputation: 0
Question IP MASQ help


I am looking for a solution using IP MASQ with RedHat 9.0 where i can masqurade all ip packets destined for other networks except for the packets destined for the 172.16.0.0/24 network. the packets destined for 172.16.0.0 net should just be routed normaly. I'm very new to iptables, can anyone let me know if this is possible and if so, where to start?

thanks
 
Old 03-21-2005, 11:11 AM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 376Reputation: 376Reputation: 376Reputation: 376
to masquerade all forwarded packets exiting eth0, except those going to 172.16.0.0/24:
Code:
iptables -t nat -A POSTROUTING -o eth0 -d ! 172.16.0.0/24 -j MASQUERADE
PS: what do you mean by "routed normally"??


Last edited by win32sux; 03-21-2005 at 11:15 AM.
 
Old 03-21-2005, 11:38 AM   #3
alec77
LQ Newbie
 
Registered: Jul 2004
Posts: 12

Original Poster
Rep: Reputation: 0
what i ment by routed normaly is that the packets are routed without modification. The setup looks something liek the following:


(10.0.0.0 network)- [linux router]-(172.16.0.0 network)-[internet router]-(internet)

hosts on the 10.0.0.0 network need to access printers and servers on the 172.16.0.0 network and also have internet access. I can't modify the routing tables on the internet router to put a route to 10.0.0.0 network so I was planning on using NAT for the 10.0.0.0 network through 172.16.0.254 on the linux router
 
Old 03-21-2005, 12:12 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 376Reputation: 376Reputation: 376Reputation: 376
seems to me that by doing a simple NAT on [linux router] everything would be fine... i mean, packets coming from 10.0.0.0 will be NATed by [linux router] and they will look like they came from 172.16.0.0 anyways... so connecting to the servers on 172.16.0.0 from 10.0.0.0 would be a non-issue... the same goes for the internet access, as the packets coming from 10.0.0.0 would look like they were coming from 172.16.0.0 to [internet router]...

if the external interface on [linux router] has a static ip, don't use MASQUERADING, use NAT instead...

if i understand what you are trying to do, then it woud seem to me like you wouldn't need to have a POSTROUTING exception for packets going to 172.16.0.0...

Last edited by win32sux; 03-21-2005 at 12:14 PM.
 
Old 03-22-2005, 08:10 AM   #5
alec77
LQ Newbie
 
Registered: Jul 2004
Posts: 12

Original Poster
Rep: Reputation: 0
what would be the best way to use simple NAT?
 
Old 03-22-2005, 11:15 AM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 376Reputation: 376Reputation: 376Reputation: 376
Quote:
Originally posted by alec77
what would be the best way to use simple NAT?
well, let's say that [linux router] has internal interface eth0 (on network 10.0.0.0) and external interface eth1 with ip 172.16.0.254, then the POSTROUTING rule for it to NAT for the 10.0.0.0 network would look like:

Code:
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 172.16.0.254
but if [linux router] gets it's ip address from [internet router] via DHCP, then use MASQUERADE instead of SNAT:
Code:
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
of course either way you'd also need to activate the forwarding, for example:

Code:
iptables -P FORWARD DROP

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -m state --state NEW -j ACCEPT

echo "1" > /proc/sys/net/ipv4/ip_forward

Last edited by win32sux; 03-22-2005 at 02:24 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
linux masq server to linux masq server VPN rob_roman23 Linux - Networking 0 09-13-2003 10:54 AM
masq jakublgz Slackware 3 10-03-2002 08:35 PM
firewall script run at boot -> no masq, rerun manually -> masq worx Griffon26 Linux - Networking 2 06-24-2002 04:17 AM
IP Masq on RH 7.2 aceexpert Linux - Software 3 04-24-2002 06:07 AM
IP Masq Nephlite Linux - Networking 2 01-31-2002 07:36 PM


All times are GMT -5. The time now is 01:25 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration