[NTLUG:Discuss] static NAT?

Paul Ingendorf pauldy at wantek.net
Wed Feb 6 23:48:06 CST 2002 

First the broadcast addr of the ifconfig is incorrect it should probably match that if the first interface addr you have.  Try ifconfig without any args and it should report back to you the appropriate config for the broadcast and netmask.  Also I'm sure that ethX is not an interface on your machine it should probably be eth0 or eth1 so the command would be like 

ifconfig eth0:1 x.x.x.x netmask x.x.x.x broadcast x.x.x.x

Again here x should be replaced by the Ip addr the netmask and the broadcast.

You mention you would simply like to do the ports for FTP and HTTP so I would probably change the iptables commands as follows as the previous ones should simply forward everything to the second ip addr.

iptables -t nat -D PREROUTING -d 216.224.237.55 -j DNAT --to 192.168.12.99 # removes the previos rule

iptables -t nat -A PREROUTING -d 216.224.237.55 -p tcp --dport 20 -j DNAT --to 192.168.12.99
iptables -t nat -A PREROUTING -d 216.224.237.55 -p tcp --dport 21 -j DNAT --to 192.168.12.99
iptables -t nat -A PREROUTING -d 216.224.237.55 -p tcp --dport 80 -j DNAT --to 192.168.12.99
iptables -t nat -A PREROUTING -d 216.224.237.55 -p tcp --dport 443 -j DNAT --to 192.168.12.99


-----Original Message-----
From: discuss-admin at ntlug.org [mailto:discuss-admin at ntlug.org]On Behalf
Of Bob Byron
Sent: Wednesday, February 06, 2002 10:29 PM
To: discuss at ntlug.org
Subject: Re: [NTLUG:Discuss] static NAT?


Well, I was testing the configuration and when I connect to
216.224.237.55, I seem to get a connection to the server 
(216.224.237.34) and not to 192.168.12.99.

Oh, and in the last email where I mentioned the commands I executed, 
I meant to say I executed the commands:

ifconfig ethX:1 216.224.237.55 netmask 255.255.255.0 broadcast 192.168.12.255
iptables -t nat -A PREROUTING -d 216.224.237.55 -j DNAT --to 192.168.12.99

Bob Byron

----- Original Message ----- 
From: "Bob Byron" <bbyron at radit.com>
To: <discuss at ntlug.org>
Sent: Wednesday, February 06, 2002 9:42 PM
Subject: Re: [NTLUG:Discuss] static NAT?


> That is exactly what I am looking for, but I have been trying to determine
> what the "broadcast" is doing, and I am not sure what the "new broadcast"
> should be.
> 
> Let's take as an example 
> WAN IP: 216.224.237.34  (existing server)
> WAN Virtual IP: 216.224.237.55  (virtual IP)
> WAN subnetmask: 255.255.255.224
> LAN 192.168.12.99 (non routable lan IP).
> LAN subnetmask: 255.255.255.0
> 
> I want to route 216.224.237.55 directly to 192.168.12.99.
> ifconfig ethX:1 216.224.237.55 netmask 255.255.255.0 broadcast 192.168.1.255
> iptables -t nat -A PREROUTING -d 216.224.237.55
> 
> I also will want to block connections to that port except through
> perhaps ports 80 and 21.
> 
> I am testing.  Thanks for the info.
> 
> Bob Byron
> 
> ----- Original Message ----- 
> From: "Paul Ingendorf" <pauldy at wantek.net>
> To: <discuss at ntlug.org>
> Sent: Wednesday, February 06, 2002 11:47 AM
> Subject: Re: [NTLUG:Discuss] static NAT?
> 
> 
> > 
> > 1.)
> > 
> > ifconfig ethX:1 <ext ip> netmask <newnetmask> broadcast <new brodcast>
> > 
> > Where X is the number of the external interface.
> > 
> > 2.)
> > 
> > Then you should use something like so.
> > iptables -t nat -A PREROUTING -d <ext ip> -j DNAT --to <int ip>
> > 
> > 
> > 
> > Quoting Bob Byron <bbyron at radit.com>:
> > 
> > > I have a linux server acting as a firewall with a private non-routable
> > > 
> > > network (lan) on one side and the internet (wan) on the other.  I have
> > > 
> > > a number of ip addresses and want to be able to take one machine on 
> > > the lan and make it addressable from the outside.  I am using IP
> > > tables
> > > and the private network is being \"NAT\"ed.  So, I suspect I have to 
> > > do two things.  
> > > 
> > > 1)  Tell my NIC card on the wan side to accept a second (virtual) 
> > > IP address.
> > > 
> > > 2)  I need to have the firewall stiaticly translate the lan machine
> > > using 
> > > that address.  
> > > 
> > > Any ideas how to do that?
> > > 
> > > Thanks,
> > > Bob Byron
> > > 
> > > 
> > > 
> > > _______________________________________________
> > > http://www.ntlug.org/mailman/listinfo/discuss
> > > 
> > 
> > 
> > 
> > -- 
> > -->> mailto:pauldy at wantek.net
> > -->> http://www.wantek.net/
> > Running ....... Cos anything else would be a waste...
> > `:::\\\\\\\'                  .......  ......
> >  :::  *                  `::.    ::\\\\\\\'
> >  ::: .::  .:.::.  .:: .::  `::. :\\\\\\\'
> >  :::  ::   ::  ::  ::  ::    :::.
> >  ::: .::. .::  ::.  `::::. .:\\\\\\\'  ::.
> > :::.....................::\\\\\\\'   .::::..
> > 
> > _______________________________________________
> > http://www.ntlug.org/mailman/listinfo/discuss
> 
> 
> 
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
> 



_______________________________________________
http://www.ntlug.org/mailman/listinfo/discuss

More information about the Discuss mailing list