LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-06-2003, 05:01 PM   #1
rebuke
LQ Newbie
 
Registered: Nov 2003
Posts: 6

Rep: Reputation: 0
iptables - true nat AND masquerade


I have a machine with an alias so it has the following ip address setup (some parts of ip removed for security):

Internal Network (eth0) - 192.168.0.101

External Network (eth1) - xxx.xxx.xxx.195

External Network Alias (eth1:1) - xxx.xxx.xxx.194

At the moment, I have some basic masquerading going on for the 192.168.0.0/24 subnet which automatically goes out of eth1.

Inbound I have prerouting set up to forward certain ports on the 194 address to 192.168.0.1 and some input rules so that only stuff on the 195 address gets through to the linux machine itself.

What I want to set up is true 1:1 NAT so that 192.168.0.1 goes out on the 194 address and everything else internally gets masqueraded and goes out on the 195.

Could somebody send me some example rules for doing this?

The other thing I am using is FORWARD rules to block which ports are allowed out, but I presume these would still work.

Thanks in advance,
Alex Brett
rebuke@rebuke.eu.org
 
Old 11-10-2003, 12:53 PM   #2
warath
Member
 
Registered: Oct 2001
Location: Ontario, Canada
Distribution: Redhat 9
Posts: 43

Rep: Reputation: 15
I think this would do it:
$IPTABLES -t nat -A POSTROUTING -o eth1:1 -s 192.168.0.101 -d 0/0 -j SNAT --to-source xxx.xxx.xxx.194
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -d 0/0 -j SNAT --to-source xxx.xxx.xxx.195

make sure that they show up in that order... what should happend is that traffic from your 101 address will match the first rule, and thus stop processing rules, and get forwarded on out to the internet over eth1:1.
All other traffic from addresses 192.168.0.0/255.255.255.0 will not match the first rule, but the second, which will route them over eth1.
In both cases masqurading as each eth address as set above.

Last edited by warath; 11-10-2003 at 12:58 PM.
 
Old 11-10-2003, 03:11 PM   #3
rebuke
LQ Newbie
 
Registered: Nov 2003
Posts: 6

Original Poster
Rep: Reputation: 0
I didn't think you could put device aliases in iptables - I remember reading somewhere that you couldn't and I think I tried it once and it rejected it.

Also, 192.168.0.101 is the box itself, 192.168.0.1 is the box that should go out on the 194 address.

I changed it to ignore the outgoing interface and ports and made it this:

iptables -t nat -A POSTROUTING -s 192.168.0.1 -j SNAT --to-source xxx.xxx.xxx.194

and it seemed to work properly from the 192.168.0.1 machine - I can't test everything else as I am not physically at the site and I only have remote access to the 192.168.0.1 machine but when I am next there I will try it and see if it works. I will have to write specific rules because we only let certain other machines get out to the internet that way, the majority go through an http proxy (as this is a school and we need to filter the web access).

Thanks,
Alex Brett
rebuke@rebuke.eu.org
 
Old 11-11-2003, 02:02 PM   #4
warath
Member
 
Registered: Oct 2001
Location: Ontario, Canada
Distribution: Redhat 9
Posts: 43

Rep: Reputation: 15
Then you should be able to just remove my -o options.
Or change to "-o eth1+"
as per the iptables howto
Quote:
It is perfectly legal to specify an interface that currently does not exist; the rule will not match anything until the interface comes up. This is extremely useful for dial-up PPP links (usually interface ppp0) and the like.
As a special case, an interface name ending with a `+' will match all interfaces (whether they currently exist or not) which begin with that string. For example, to specify a rule which matches all PPP interfaces, the -i ppp+ option would be used.
You don't want packets that are stying internal (eth0) to be SNAT, which is why I think you have to have the -o option set.

Last edited by warath; 11-11-2003 at 02:08 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
MASQUERADE Target not found (IPTABLES) bksmart Linux - Networking 15 07-27-2005 08:57 PM
iptables masquerade deconfliction ttucker Linux - Networking 15 08-01-2004 06:04 PM
nat/masquerade, connection tracking b0uncer Linux - Networking 2 07-20-2004 04:22 AM
Masquerade - iptables amphion Linux - Security 6 06-08-2003 09:59 PM
Iptables Forward + Masquerade + Vmware ! sapilas Linux - Networking 2 12-07-2002 06:18 PM


All times are GMT -5. The time now is 03:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration