Latest LQ Deal: Linux Power User Bundle
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 11-06-2003, 05:01 PM   #1
LQ Newbie
Registered: Nov 2003
Posts: 6

Rep: Reputation: 0
iptables - true nat AND masquerade

I have a machine with an alias so it has the following ip address setup (some parts of ip removed for security):

Internal Network (eth0) -

External Network (eth1) -

External Network Alias (eth1:1) -

At the moment, I have some basic masquerading going on for the subnet which automatically goes out of eth1.

Inbound I have prerouting set up to forward certain ports on the 194 address to and some input rules so that only stuff on the 195 address gets through to the linux machine itself.

What I want to set up is true 1:1 NAT so that goes out on the 194 address and everything else internally gets masqueraded and goes out on the 195.

Could somebody send me some example rules for doing this?

The other thing I am using is FORWARD rules to block which ports are allowed out, but I presume these would still work.

Thanks in advance,
Alex Brett
Old 11-10-2003, 12:53 PM   #2
Registered: Oct 2001
Location: Ontario, Canada
Distribution: Redhat 9
Posts: 43

Rep: Reputation: 15
I think this would do it:
$IPTABLES -t nat -A POSTROUTING -o eth1:1 -s -d 0/0 -j SNAT --to-source
$IPTABLES -t nat -A POSTROUTING -o eth1 -s -d 0/0 -j SNAT --to-source

make sure that they show up in that order... what should happend is that traffic from your 101 address will match the first rule, and thus stop processing rules, and get forwarded on out to the internet over eth1:1.
All other traffic from addresses will not match the first rule, but the second, which will route them over eth1.
In both cases masqurading as each eth address as set above.

Last edited by warath; 11-10-2003 at 12:58 PM.
Old 11-10-2003, 03:11 PM   #3
LQ Newbie
Registered: Nov 2003
Posts: 6

Original Poster
Rep: Reputation: 0
I didn't think you could put device aliases in iptables - I remember reading somewhere that you couldn't and I think I tried it once and it rejected it.

Also, is the box itself, is the box that should go out on the 194 address.

I changed it to ignore the outgoing interface and ports and made it this:

iptables -t nat -A POSTROUTING -s -j SNAT --to-source

and it seemed to work properly from the machine - I can't test everything else as I am not physically at the site and I only have remote access to the machine but when I am next there I will try it and see if it works. I will have to write specific rules because we only let certain other machines get out to the internet that way, the majority go through an http proxy (as this is a school and we need to filter the web access).

Alex Brett
Old 11-11-2003, 02:02 PM   #4
Registered: Oct 2001
Location: Ontario, Canada
Distribution: Redhat 9
Posts: 43

Rep: Reputation: 15
Then you should be able to just remove my -o options.
Or change to "-o eth1+"
as per the iptables howto
It is perfectly legal to specify an interface that currently does not exist; the rule will not match anything until the interface comes up. This is extremely useful for dial-up PPP links (usually interface ppp0) and the like.
As a special case, an interface name ending with a `+' will match all interfaces (whether they currently exist or not) which begin with that string. For example, to specify a rule which matches all PPP interfaces, the -i ppp+ option would be used.
You don't want packets that are stying internal (eth0) to be SNAT, which is why I think you have to have the -o option set.

Last edited by warath; 11-11-2003 at 02:08 PM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
MASQUERADE Target not found (IPTABLES) bksmart Linux - Networking 15 07-27-2005 08:57 PM
iptables masquerade deconfliction ttucker Linux - Networking 15 08-01-2004 06:04 PM
nat/masquerade, connection tracking b0uncer Linux - Networking 2 07-20-2004 04:22 AM
Masquerade - iptables amphion Linux - Security 6 06-08-2003 09:59 PM
Iptables Forward + Masquerade + Vmware ! sapilas Linux - Networking 2 12-07-2002 06:18 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:59 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration