Hi,

If I do:

iptables -t nat -A PREROUTING -i eth0 -j DNAT --to $range_start-$range_end

Does this take any incoming packets as part of an existing connection (assuming source NAT is set up), and automatically forward them to the right local address?

Would a valid range be say, 10.1.1.0-10.1.1.255? Would all addresses in the range have to be contiguous?

My problem might be that NAT might be needed for some DHCP clients in that range, would I have to give them all static addresses?

Cheers,

MadCactus

I'm not 100% sure, but I think giving a range of ip addresses with the DNAT target does a form of load sharing. So if you had remote hosts A,B, and C all trying to connect to your router, the first one (Host A) would be routed to the first machine in the DNAT range, Host B would then be routed to the second, and Host C would go to the third, etc. So I don't think that's what you're trying to do. I could be wrong on that though.

If you could be a little more specific on what you're trying to accomplish, that might help. If you're trying to NAT a bunch of clients on a LAN and you're just looking for a way to allow them to connect out, what you're after is either SNAT or IP Masquerading. Which one you need depends on whether your router/gateway machine itself has a permanent ip address or if it's dynamically assigned.

Yeah connection sharing is what i'm after - basically a hard-as-a-jawbreaker proxy gateway for web, ftp access from a LAN. I'm pre-empting my boss though as he hasn't decided what to go for, and I want to have the script ready if he chooses Linux

Its ethernet 10/100 and we're going out through a DSL connection - the proxy server (2 NICS) would be hooked into the router. Its got a static IP address, so I'd only need source NAT for that? How do the packets find their way back to the right host on the LAN? Is it done automatically (magically)?

As long as the gateway/router has a static ip, use an SNAT rule like this:

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source xxx.xxx.xxx.xxx

Where eth0 is the external interface connected to the 'net and xxx.xxx.xxx.xxx is the external ip address of the gateway/router box. If you ever find yourself in a situation with a dynamic ip on the gateway, you'd use ip masquerading instead. The syntax is pretty much the same:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

As for how do the packets find there way back in to the proper machine on the LAN side, iptables keeps track of what connections go with which remote host and match those to the proper LAN host. I think you could visualize it like a sort of "routing table". If you're ever curious, you can actually watch it work by checking out /proc/net/ip_conntrack and see the various states of connections. So yeah, it's kind of automagically.

The nice part about setting it up that way is that the LAN hosts can connect out and maintain connections with remote hosts, but someone from the outside shouldn't be able to initiate a connection into the LAN (at least if you do it right).

If you want to allow incoming traffic, to say a public webserver in the LAN, then you'd use DNAT'ing and FORWARDing to direct that traffic to the specified internal host.

Ahh love that iptables magic I never thought it would be so simple, some of the example scripts in my book are V. complex...

Shouldn't need to muck about with forwarding though as we have another connection for our mail + web server using a HW firewall box.

One more point though: does the INPUT chain apply to all NICS in the box? Likewise the OUTPUT chain? I was kind of thinking that INPUT was incoming traffic from the external network, and OUTPUT was outgoing traffic to the external network... I'm wrong, right?

You'll see people with ridiculuosly long rule sets that are really complex. Alot of the time they have redundant rules that are unnecessary. Even though the iptables syntax and structure can be complex, your ruleset really can be surprisingly short depending on your needs.


Correct, both the INPUT and OUTPUT chains apply to all interfaces unless you specify one directly, for example "iptables -A INPUT -i eth0", would be limited to incoming packets on the eth0 interface.


No, INPUT is ANY traffic that is coming into the box, regardless of which interface or whether it's coming from the LAN side or from the internet side. The OUPUT chain is ANY traffic going out of the box, regardless of interface or direction. Again, you could the use the -i and -o desriptors to further narrow down which interface the traffic is coming into and which one it would be going out. There are some exceptions to that with traffic that is being forwarded to other boxes, but that's another story in itself.