Masquerading with netfilter/iptables

Luciano Macedo Rodrigues Fri, 05 Apr 2002 07:49:34 -0800

Hi all...

I found a posting http://www.flux.org/pipermail/linux/2001-May/003528.html
while I was searching for "nat, iptables, dhcp, router" and I found very
interesting your script, but I'm not sure it's fit my needs. Sorry for any
incovenience. Let's see my network:


 -----------------------
| 3com router           |
| dynamic ip            |
| 200.180.169.xxx               |
 -----------------------
                |
 -----------------------------
| Linux Box                             |
| external interface eth0       |
| 192.168.200.3                 |
 -----------------------------
 -----------------------------
| Linux Box                             |
| internal interface eth1       |
| 10.100.100.254                        |
 -----------------------------
                |
 -----------------------------
| Hub                           |
| no IP, just wires ;)          |
 -----------------------------
                |
 -----------------------------------
| Workstations (LAN)                    |
| 10.100.100.0/255.255.255.0            |
| gateway 10.100.100.254 (named ok) |
 -----------------------------------

I want that the Linux Box (a i686 RedHat 7.2 + iptables 1.2.4 + kernel
2.4.9) forward the internet to the workstations and do a NAT with the
dynamic IP, so users can access our Tomcat, Apache, SSH and MySQL. The
solution that I have today solves this two problems, but everytime the DSL
line changes IP or the machine goes down, I have to flush the rules, find
the new IP telnet'ing the router and them run the script. And I'm almost
sure that i can do this different, and without using the ip as a parameter.

- BOF

the actual solution - forwarding the internet to all workstations

EXTIF="eth0"
INTIF="eth1"
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $EXTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
$IPTABLES -A POSTROUTING -t nat -o $INTIF -j MASQUERADE

my solution for NAT - $1 = parameter in command line ;-)

ifconfig eth0:0 $1

iptables -A PREROUTING  -t nat -d $1/32 -j DNAT --to 10.100.100.254
iptables -A POSTROUTING -t nat -s 10.100.100.254/32 -j SNAT --to $1

- EOF

I'm waiting for any script, solution, link, resource (3com maybe). Thanks in
advance and sorry about my english, I'm brazilian, we speak portuguese here
=/

Luciano Macedo Rodrigues
Analista/Construtor
OpenSoft - Porto Alegre/RS

Masquerading with netfilter/iptables

Reply via email to