IP MASQ help

alec77 · 03-21-2005, 09:41 AM

I am looking for a solution using IP MASQ with RedHat 9.0 where i can masqurade all ip packets destined for other networks except for the packets destined for the 172.16.0.0/24 network. the packets destined for 172.16.0.0 net should just be routed normaly. I'm very new to iptables, can anyone let me know if this is possible and if so, where to start?

thanks

win32sux · 03-21-2005, 10:11 AM

to masquerade all forwarded packets exiting eth0, except those going to 172.16.0.0/24:

Code:

iptables -t nat -A POSTROUTING -o eth0 -d ! 172.16.0.0/24 -j MASQUERADE

PS: what do you mean by "routed normally"??

alec77 · 03-21-2005, 10:38 AM

what i ment by routed normaly is that the packets are routed without modification. The setup looks something liek the following:

(10.0.0.0 network)- [linux router]-(172.16.0.0 network)-[internet router]-(internet)

hosts on the 10.0.0.0 network need to access printers and servers on the 172.16.0.0 network and also have internet access. I can't modify the routing tables on the internet router to put a route to 10.0.0.0 network so I was planning on using NAT for the 10.0.0.0 network through 172.16.0.254 on the linux router

win32sux · 03-21-2005, 11:12 AM

seems to me that by doing a simple NAT on [linux router] everything would be fine... i mean, packets coming from 10.0.0.0 will be NATed by [linux router] and they will look like they came from 172.16.0.0 anyways... so connecting to the servers on 172.16.0.0 from 10.0.0.0 would be a non-issue... the same goes for the internet access, as the packets coming from 10.0.0.0 would look like they were coming from 172.16.0.0 to [internet router]...

if the external interface on [linux router] has a static ip, don't use MASQUERADING, use NAT instead...

if i understand what you are trying to do, then it woud seem to me like you wouldn't need to have a POSTROUTING exception for packets going to 172.16.0.0...

alec77 · 03-22-2005, 07:10 AM

what would be the best way to use simple NAT?

win32sux · 03-22-2005, 10:15 AM

Quote:

Originally posted by alec77
what would be the best way to use simple NAT?

well, let's say that [linux router] has internal interface eth0 (on network 10.0.0.0) and external interface eth1 with ip 172.16.0.254, then the POSTROUTING rule for it to NAT for the 10.0.0.0 network would look like:

Code:

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 172.16.0.254

but if [linux router] gets it's ip address from [internet router] via DHCP, then use MASQUERADE instead of SNAT:

Code:

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

of course either way you'd also need to activate the forwarding, for example:

Code:

iptables -P FORWARD DROP

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -m state --state NEW -j ACCEPT

echo "1" > /proc/sys/net/ipv4/ip_forward