[NTLUG:Discuss] static NAT?

Paul Ingendorf pauldy at wantek.net
Thu Feb 7 22:14:57 CST 2002 

Well I haven't done this before but this should work

iptables -t nat -A POSTROUTING -s 192.168.12.99/255.255.255.255 -j SNAT --to 216.224.237.55

Caveats here is that this should appear before any other rules you have like maybe MASQUERADE.  Or if your using it like you should a line like follows.
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.0.0 -j SNAT --to 216.224.237.34

Of course this assumes you are using the full class b reserved net.


-----Original Message-----
From: discuss-admin at ntlug.org [mailto:discuss-admin at ntlug.org]On Behalf
Of Bob Byron
Sent: Thursday, February 07, 2002 1:49 PM
To: discuss at ntlug.org
Subject: Re: [NTLUG:Discuss] static NAT?


Alright, this is interesting.  I made the changes you mentioned and things are
getting better.  Thank You!!!  Now, I need another change.  When I connect
to the WAN, I want my local client to be seen as the .55 number.  That is,
from my machine (192.168.12.99) on the LAN, I want to connect to a
remote location such as:
http://www.hexillion.com/samples/AspTrace.asp
And that website would see 216.224.237.55 as my IP address.  So, it is
a static NAT translation on the way out for any connection I make from
192.168.12.99.  Currently, if I connect from my machine to the above
website, my servers address is displayed (216.224.237.34).

Bob Byron

----- Original Message -----
From: "Paul Ingendorf" <pauldy at wantek.net>
To: <discuss at ntlug.org>
Sent: Wednesday, February 06, 2002 11:48 PM
Subject: RE: [NTLUG:Discuss] static NAT?


> First the broadcast addr of the ifconfig is incorrect it should probably match that if the first
interface addr you have.  Try ifconfig without any args and it should report back to you the
appropriate config for the broadcast and netmask.  Also I'm sure that ethX is not an interface on
your machine it should probably be eth0 or eth1 so the command would be like
>
> ifconfig eth0:1 x.x.x.x netmask x.x.x.x broadcast x.x.x.x
>
> Again here x should be replaced by the Ip addr the netmask and the broadcast.
>
> You mention you would simply like to do the ports for FTP and HTTP so I would probably change the
iptables commands as follows as the previous ones should simply forward everything to the second ip
addr.
>
> iptables -t nat -D PREROUTING -d 216.224.237.55 -j DNAT --to 192.168.12.99 # removes the previos
rule
>
> iptables -t nat -A PREROUTING -d 216.224.237.55 -p tcp --dport 20 -j DNAT --to 192.168.12.99
> iptables -t nat -A PREROUTING -d 216.224.237.55 -p tcp --dport 21 -j DNAT --to 192.168.12.99
> iptables -t nat -A PREROUTING -d 216.224.237.55 -p tcp --dport 80 -j DNAT --to 192.168.12.99
> iptables -t nat -A PREROUTING -d 216.224.237.55 -p tcp --dport 443 -j DNAT --to 192.168.12.99
>
>
> -----Original Message-----
> From: discuss-admin at ntlug.org [mailto:discuss-admin at ntlug.org]On Behalf
> Of Bob Byron
> Sent: Wednesday, February 06, 2002 10:29 PM
> To: discuss at ntlug.org
> Subject: Re: [NTLUG:Discuss] static NAT?
>
>
> Well, I was testing the configuration and when I connect to
> 216.224.237.55, I seem to get a connection to the server
> (216.224.237.34) and not to 192.168.12.99.
>
> Oh, and in the last email where I mentioned the commands I executed,
> I meant to say I executed the commands:
>
> ifconfig ethX:1 216.224.237.55 netmask 255.255.255.0 broadcast 192.168.12.255
> iptables -t nat -A PREROUTING -d 216.224.237.55 -j DNAT --to 192.168.12.99
>
> Bob Byron
>
> ----- Original Message -----
> From: "Bob Byron" <bbyron at radit.com>
> To: <discuss at ntlug.org>
> Sent: Wednesday, February 06, 2002 9:42 PM
> Subject: Re: [NTLUG:Discuss] static NAT?
>
>
> > That is exactly what I am looking for, but I have been trying to determine
> > what the "broadcast" is doing, and I am not sure what the "new broadcast"
> > should be.
> >
> > Let's take as an example
> > WAN IP: 216.224.237.34  (existing server)
> > WAN Virtual IP: 216.224.237.55  (virtual IP)
> > WAN subnetmask: 255.255.255.224
> > LAN 192.168.12.99 (non routable lan IP).
> > LAN subnetmask: 255.255.255.0
> >
> > I want to route 216.224.237.55 directly to 192.168.12.99.
> > ifconfig ethX:1 216.224.237.55 netmask 255.255.255.0 broadcast 192.168.1.255
> > iptables -t nat -A PREROUTING -d 216.224.237.55
> >
> > I also will want to block connections to that port except through
> > perhaps ports 80 and 21.
> >
> > I am testing.  Thanks for the info.
> >
> > Bob Byron
> >
> > ----- Original Message -----
> > From: "Paul Ingendorf" <pauldy at wantek.net>
> > To: <discuss at ntlug.org>
> > Sent: Wednesday, February 06, 2002 11:47 AM
> > Subject: Re: [NTLUG:Discuss] static NAT?
> >
> >
> > >
> > > 1.)
> > >
> > > ifconfig ethX:1 <ext ip> netmask <newnetmask> broadcast <new brodcast>
> > >
> > > Where X is the number of the external interface.
> > >
> > > 2.)
> > >
> > > Then you should use something like so.
> > > iptables -t nat -A PREROUTING -d <ext ip> -j DNAT --to <int ip>
> > >
> > >
> > >
> > > Quoting Bob Byron <bbyron at radit.com>:
> > >
> > > > I have a linux server acting as a firewall with a private non-routable
> > > >
> > > > network (lan) on one side and the internet (wan) on the other.  I have
> > > >
> > > > a number of ip addresses and want to be able to take one machine on
> > > > the lan and make it addressable from the outside.  I am using IP
> > > > tables
> > > > and the private network is being \"NAT\"ed.  So, I suspect I have to
> > > > do two things.
> > > >
> > > > 1)  Tell my NIC card on the wan side to accept a second (virtual)
> > > > IP address.
> > > >
> > > > 2)  I need to have the firewall stiaticly translate the lan machine
> > > > using
> > > > that address.
> > > >
> > > > Any ideas how to do that?
> > > >
> > > > Thanks,
> > > > Bob Byron
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > http://www.ntlug.org/mailman/listinfo/discuss
> > > >
> > >
> > >
> > >
> > > --
> > > -->> mailto:pauldy at wantek.net
> > > -->> http://www.wantek.net/
> > > Running ....... Cos anything else would be a waste...
> > > `:::\\\\\\\'                  .......  ......
> > >  :::  *                  `::.    ::\\\\\\\'
> > >  ::: .::  .:.::.  .:: .::  `::. :\\\\\\\'
> > >  :::  ::   ::  ::  ::  ::    :::.
> > >  ::: .::. .::  ::.  `::::. .:\\\\\\\'  ::.
> > > :::.....................::\\\\\\\'   .::::..
> > >
> > > _______________________________________________
> > > http://www.ntlug.org/mailman/listinfo/discuss
> >
> >
> >
> > _______________________________________________
> > http://www.ntlug.org/mailman/listinfo/discuss
> >
>
>
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>



_______________________________________________
http://www.ntlug.org/mailman/listinfo/discuss

More information about the Discuss mailing list