Iptable for nat assistance
Lennart Sorensen
lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Wed Apr 25 17:36:37 UTC 2007
On Wed, Apr 25, 2007 at 06:40:43PM +0300, Kihara Muriithi wrote:
> Hi all,
> I have been attempting to use iptables to NAT internal IPs to an external
> IP without success. I have experience with iptables, but mainly on how to
> close or open specific ports. Nat has proved a little challenging and thats
> why i am seeking assistance.
> Lets say I have an internal IPs as 10.0.0.0/24 and need all those IP natted
> to an external IP 192.168.2.1. This is what I have attempted in my quest to
> find a solution.
> /sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.2.1
>
> when I check the firewall status, I notice this table insertion
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:192.168.2.1
I prefer the output of iptables with -v added to show which interface
the rule applies to.
You might also want to make it only apply to the 10.x network, rather
than everything. So try adding -s 10.0.0.0/24 to that rule above.
> To be frank, I expected 192.168.2.1 to be the destination. The way the
> details are presented is confusing, IMO. Whats however puzzling is this
> command is rejected when I attempt to make it persistant as seen below.
> vi /etec/sysconfig/iptables
> Just before the line below, I inserted the second command
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
> icmp-host-prohibited
> -A POSTROUTING -o eth0 -j SNAT --to 192.168.2.1
The destination is any address that is outside through eth0. 0.0.0.0/0
means any. The source you didn't specify in your case so that too
was any. The only requirement you supplied was that it be stuff going
out eth0.
> This however don't work as iptable throws an error message and fails to come
> up.
> Now the question is, what is the proper way of doing a nat throw a linux
> box? I have enabled IP forwarding by the way.
I personally tend to use shorewall to manage the specific iptables rules
since it adds a more comprehensible and manageable abstraction on top of
iptables.
With shorewall you could do something as simple as this in your
/etc/shorewall/masq file:
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
eth0 eth1 192.168.2.1
--
Len Sorensen
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list