Iptable for nat assistance

jon jonzou-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Wed Apr 25 21:30:50 UTC 2007 

besides shorewall, firehol is another helping tool and really easy to
understand

On 4/25/07, Lennart Sorensen <lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org> wrote:
>
> On Wed, Apr 25, 2007 at 06:40:43PM +0300, Kihara Muriithi wrote:
> > Hi all,
> > I have been attempting to use iptables to NAT internal IPs to an
> external
> > IP without success. I have experience with iptables, but mainly on how
> to
> > close or open specific ports. Nat has proved a little challenging and
> thats
> > why i am seeking assistance.
> > Lets say I have an internal IPs as 10.0.0.0/24 and need all those IP
> natted
> > to an external IP 192.168.2.1. This is what I have attempted in my quest
> to
> > find a solution.
> > /sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.2.1
> >
> > when I check the firewall status, I notice this table insertion
> > Chain POSTROUTING (policy ACCEPT)
> > target     prot opt source               destination
> > SNAT       all  --  0.0.0.0/0            0.0.0.0/0           to:
> 192.168.2.1
>
> I prefer the output of iptables with -v added to show which interface
> the rule applies to.
>
> You might also want to make it only apply to the 10.x network, rather
> than everything.  So try adding -s 10.0.0.0/24 to that rule above.
>
> > To be frank, I expected 192.168.2.1 to be the destination. The way the
> > details are presented is confusing, IMO. Whats however puzzling is this
> > command is rejected when I attempt to make it persistant as seen below.
> > vi /etec/sysconfig/iptables
> > Just before the line below, I inserted the second command
> > REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with
> > icmp-host-prohibited
> > -A POSTROUTING -o eth0 -j SNAT --to 192.168.2.1
>
> The destination is any address that is outside through eth0.  0.0.0.0/0
> means any.  The source you didn't specify in your case so that too
> was any.  The only requirement you supplied was that it be stuff going
> out eth0.
>
> > This however don't work as iptable throws an error message and fails to
> come
> > up.
> > Now the question is, what is the proper way of doing a nat throw a linux
> > box? I have enabled IP forwarding by the way.
>
> I personally tend to use shorewall to manage the specific iptables rules
> since it adds a more comprehensible and manageable abstraction on top of
> iptables.
>
> With shorewall you could do something as simple as this in your
> /etc/shorewall/masq file:
>
> #INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
> IPSEC
> eth0                    eth1            192.168.2.1
>
> --
> Len Sorensen
> --
> The Toronto Linux Users Group.      Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20070425/c95c69c3/attachment.html>

More information about the Legacy mailing list