Re: Masquerading with netfilter/iptables

Fri, 05 Apr 2002 10:54:35 -0800 


Luciano Macedo Rodrigues wrote:
> Hi all...
> 
> I found a posting http://www.flux.org/pipermail/linux/2001-May/003528.html
> while I was searching for "nat, iptables, dhcp, router" and I found very
> interesting your script, but I'm not sure it's fit my needs. Sorry for any
> incovenience. Let's see my network:
> 
>  -----------------------
> | 3com router         |
> | dynamic ip          |
> | 200.180.169.xxx             |
>  -----------------------
>               |
>  -----------------------------
> | Linux Box                           |
> | external interface eth0     |
> | 192.168.200.3                       |
>  -----------------------------
>  -----------------------------
> | Linux Box                           |
> | internal interface eth1     |
> | 10.100.100.254                      |
>  -----------------------------
>               |
>  -----------------------------
> | Hub                                 |
> | no IP, just wires ;)                |
>  -----------------------------
>               |
>  -----------------------------------
> | Workstations (LAN)                  |
> | 10.100.100.0/255.255.255.0          |
> | gateway 10.100.100.254 (named ok) |
>  -----------------------------------
> 
> I want that the Linux Box (a i686 RedHat 7.2 + iptables 1.2.4 + kernel
> 2.4.9) forward the internet to the workstations and do a NAT with the
> dynamic IP, so users can access our Tomcat, Apache, SSH and MySQL. The
> solution that I have today solves this two problems, but everytime the DSL
> line changes IP or the machine goes down, I have to flush the rules, find
> the new IP telnet'ing the router and them run the script. And I'm almost
> sure that i can do this different, and without using the ip as a parameter.
> 
> - BOF
> 
> the actual solution - forwarding the internet to all workstations
> 
> EXTIF="eth0"
> INTIF="eth1"
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -F OUTPUT
> $IPTABLES -P FORWARD DROP
> $IPTABLES -F FORWARD
> $IPTABLES -t nat -F
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
> $IPTABLES -A FORWARD -i $EXTIF -o $EXTIF -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $EXTIF -o $EXTIF -j ACCEPT
> $IPTABLES -A FORWARD -j LOG
> $IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
> $IPTABLES -A POSTROUTING -t nat -o $INTIF -j MASQUERADE
> 
> my solution for NAT - $1 = parameter in command line ;-)
> 
> ifconfig eth0:0 $1
> 

instead of jumping to dnat, you need to jump to masq becuase your ip is 
dynamic.

use this instead:
iptables -A PREROUTING -t nat -d $1/32 -j MASQ

> iptables -A PREROUTING  -t nat -d $1/32 -j DNAT --to 10.100.100.254
> iptables -A POSTROUTING -t nat -s 10.100.100.254/32 -j SNAT --to $1
> 
> - EOF
> 
> I'm waiting for any script, solution, link, resource (3com maybe). Thanks in
> advance and sorry about my english, I'm brazilian, we speak portuguese here
> =/
> 
> Luciano Macedo Rodrigues
> Analista/Construtor
> OpenSoft - Porto Alegre/RS
> 
> 
> 


-- 
Joe Ellis
http://www.lithodyne.net
Jas 1:19,20

























					Reply via email to