Iptable for nat assistance

Lennart Sorensen lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Wed Apr 25 17:36:37 UTC 2007 

On Wed, Apr 25, 2007 at 06:40:43PM +0300, Kihara Muriithi wrote:
> Hi all,
> I have been attempting to use iptables to NAT internal IPs to an external
> IP without success. I have experience with iptables, but mainly on how to
> close or open specific ports. Nat has proved a little challenging and thats
> why i am seeking assistance.
> Lets say I have an internal IPs as 10.0.0.0/24 and need all those IP natted
> to an external IP 192.168.2.1. This is what I have attempted in my quest to
> find a solution.
> /sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.2.1
> 
> when I check the firewall status, I notice this table insertion
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> SNAT       all  --  0.0.0.0/0            0.0.0.0/0           to:192.168.2.1

I prefer the output of iptables with -v added to show which interface
the rule applies to.

You might also want to make it only apply to the 10.x network, rather
than everything.  So try adding -s 10.0.0.0/24 to that rule above.

> To be frank, I expected 192.168.2.1 to be the destination. The way the
> details are presented is confusing, IMO. Whats however puzzling is this
> command is rejected when I attempt to make it persistant as seen below.
> vi /etec/sysconfig/iptables
> Just before the line below, I inserted the second command
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with
> icmp-host-prohibited
> -A POSTROUTING -o eth0 -j SNAT --to 192.168.2.1

The destination is any address that is outside through eth0.  0.0.0.0/0
means any.  The source you didn't specify in your case so that too
was any.  The only requirement you supplied was that it be stuff going
out eth0.

> This however don't work as iptable throws an error message and fails to come
> up.
> Now the question is, what is the proper way of doing a nat throw a linux
> box? I have enabled IP forwarding by the way.

I personally tend to use shorewall to manage the specific iptables rules
since it adds a more comprehensible and manageable abstraction on top of
iptables.

With shorewall you could do something as simple as this in your
/etc/shorewall/masq file:

#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S) IPSEC
eth0                    eth1            192.168.2.1

--
Len Sorensen
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list