/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Nicolas Gosselin <[EMAIL PROTECTED]> wrote:
>
> If you know the iptables instructions for the second ip "server"
> please let me know.
Setting one IP to one server, and the other IP to everything else,
should be simple, if you can find a way to recognize traffic that should
be sent to that server.
When you have two IP's that makes it very easy, and a set of NAT rules
like this should do the trick:
iptables -t nat -A POSTROUTING -o $EXTERNAL_IF \
-s $SPECIAL_SERVER -j SNAT --to $SPECIAL_IP
iptables -t nat -A POSTROUTING -o $EXTERNAL_IF \
-s $INTERNAL_NET -j SNAT --to $NORMAL_IP
These rules assume:
EXTERNAL_IF="name of your external interface, eg eth1 or ppp0"
INTERNAL_NET="a pattern that matches your internal net, eg 192.168.1.0/24"
NORMAL_IP="the external IP you use for normal masquerading"
SPECIAL_SERVER="the internal IP of your special server, eg 192.168.1.7"
SPECIAL_IP="the external IP you are dedicating to your server"
These rules also assume that you have a FORWARD rule defined that
permits the NAT'd traffic to flow, such as these:
iptables -A FORWARD -i $INTERNAL_IF -o $EXTERNAL_IF \
-m state --state NEW,ESTABLISHED,RELATED
iptables -A FORWARD -i $EXTERNAL_IF -o $INTERNAL_IF \
-m state --state ESTABLISHED,RELATED
iptables -A FORWARD -j LOG
iptables -A FORWARD -j DROP
This short set of rules would allow in-to-out traffic in all cases, and
allow out-to-in traffic only in the case of permitting existing
connections to continue.
The two NAT rules should be easy to read:
iptables -t nat -A POSTROUTING -o $EXTERNAL_IF \
-s $SPECIAL_SERVER -j SNAT --to $SPECIAL_IP
"If the packet is leaving via the external interface, and it has
a source IP address that matches my special server, then Source-NAT
it (change the source address) so that it changes to my Special
external IP."
iptables -t nat -A POSTROUTING -o $EXTERNAL_IF \
-s $INTERNAL_NET -j SNAT --to $NORMAL_IP
"Failing the first rule, if the packet is leaving via the external
interface, and it has a source address that matches my internal
network, Source-NAT it so that the source address is my Normal
external IP."
Now, if you were to have a further requirement, to allow INCOMING
traffic to reach your special server in certain cases, then you will
need more rules.
Incoming traffic must be Destination-NAT'd (DNAT), since you are
changing the destination to be something different than your firewall.
Again, with two IP's for your firewall it is easy to set this up:
iptables -t nat -A PREROUTING -i $EXTERNAL_IF \
-d $SPECIAL_IP -j DNAT --to $SPECIAL_SERVER
This watches for traffic destined for your extra IP and changes it to be
destined for your special server.
You will also need a FORWARD rule to allow traffic, such as:
iptables -A FORWARD -i $EXTERNAL_IF -o $INTERNAL_IF \
-d $SPECIAL_SERVER -p tcp --dport 80 \
-m state --state NEW,ESTABLISHED,RELATED
Since iptables considers NAT separately from routing, you can come up
with rules like this on your own by doing the same: When considering
FORWARD rules, you can pretend that your private net and the public net
are interconnected and routable, because that is the nature of the
traffic seen by the FORWARD chain. When you are considering your NAT
rules, you need only concern yourself with what needs to be changed in
the packet, when coming in or going out.
Hope this is helpful to you.
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Good judgment comes from experience.
sometimes known as David DeSimone || Experience comes from bad judgment."
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
