[NTLUG:Discuss] static NAT?
Bob Byron
bbyron at radit.com
Fri Feb 8 10:35:06 CST 2002
I don't think that seems to work, but I am still tinkering with it.
Also, how can I tell if the POSTROUTING rules are in effect?
I do an "iptables -L" to review the rules, but I don't see any detail
on the POSTROUTING chain. Am I looking in the right place?
Bob Byron
----- Original Message -----
From: "Paul Ingendorf" <pauldy at wantek.net>
To: <discuss at ntlug.org>
Sent: Thursday, February 07, 2002 10:14 PM
Subject: RE: [NTLUG:Discuss] static NAT?
> Well I haven't done this before but this should work
>
> iptables -t nat -A POSTROUTING -s 192.168.12.99/255.255.255.255 -j SNAT --to 216.224.237.55
>
> Caveats here is that this should appear before any other rules you have like maybe MASQUERADE. Or
if your using it like you should a line like follows.
> iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.0.0 -j SNAT --to 216.224.237.34
>
> Of course this assumes you are using the full class b reserved net.
>
>
> -----Original Message-----
> From: discuss-admin at ntlug.org [mailto:discuss-admin at ntlug.org]On Behalf
> Of Bob Byron
> Sent: Thursday, February 07, 2002 1:49 PM
> To: discuss at ntlug.org
> Subject: Re: [NTLUG:Discuss] static NAT?
>
>
> Alright, this is interesting. I made the changes you mentioned and things are
> getting better. Thank You!!! Now, I need another change. When I connect
> to the WAN, I want my local client to be seen as the .55 number. That is,
> from my machine (192.168.12.99) on the LAN, I want to connect to a
> remote location such as:
> http://www.hexillion.com/samples/AspTrace.asp
> And that website would see 216.224.237.55 as my IP address. So, it is
> a static NAT translation on the way out for any connection I make from
> 192.168.12.99. Currently, if I connect from my machine to the above
> website, my servers address is displayed (216.224.237.34).
>
> Bob Byron
>
> ----- Original Message -----
> From: "Paul Ingendorf" <pauldy at wantek.net>
> To: <discuss at ntlug.org>
> Sent: Wednesday, February 06, 2002 11:48 PM
> Subject: RE: [NTLUG:Discuss] static NAT?
>
>
> > First the broadcast addr of the ifconfig is incorrect it should probably match that if the first
> interface addr you have. Try ifconfig without any args and it should report back to you the
> appropriate config for the broadcast and netmask. Also I'm sure that ethX is not an interface on
> your machine it should probably be eth0 or eth1 so the command would be like
> >
> > ifconfig eth0:1 x.x.x.x netmask x.x.x.x broadcast x.x.x.x
> >
> > Again here x should be replaced by the Ip addr the netmask and the broadcast.
> >
> > You mention you would simply like to do the ports for FTP and HTTP so I would probably change
the
> iptables commands as follows as the previous ones should simply forward everything to the second
ip
> addr.
> >
> > iptables -t nat -D PREROUTING -d 216.224.237.55 -j DNAT --to 192.168.12.99 # removes the previos
> rule
> >
> > iptables -t nat -A PREROUTING -d 216.224.237.55 -p tcp --dport 20 -j DNAT --to 192.168.12.99
> > iptables -t nat -A PREROUTING -d 216.224.237.55 -p tcp --dport 21 -j DNAT --to 192.168.12.99
> > iptables -t nat -A PREROUTING -d 216.224.237.55 -p tcp --dport 80 -j DNAT --to 192.168.12.99
> > iptables -t nat -A PREROUTING -d 216.224.237.55 -p tcp --dport 443 -j DNAT --to 192.168.12.99
> >
> >
> > -----Original Message-----
> > From: discuss-admin at ntlug.org [mailto:discuss-admin at ntlug.org]On Behalf
> > Of Bob Byron
> > Sent: Wednesday, February 06, 2002 10:29 PM
> > To: discuss at ntlug.org
> > Subject: Re: [NTLUG:Discuss] static NAT?
> >
> >
> > Well, I was testing the configuration and when I connect to
> > 216.224.237.55, I seem to get a connection to the server
> > (216.224.237.34) and not to 192.168.12.99.
> >
> > Oh, and in the last email where I mentioned the commands I executed,
> > I meant to say I executed the commands:
> >
> > ifconfig ethX:1 216.224.237.55 netmask 255.255.255.0 broadcast 192.168.12.255
> > iptables -t nat -A PREROUTING -d 216.224.237.55 -j DNAT --to 192.168.12.99
> >
> > Bob Byron
> >
> > ----- Original Message -----
> > From: "Bob Byron" <bbyron at radit.com>
> > To: <discuss at ntlug.org>
> > Sent: Wednesday, February 06, 2002 9:42 PM
> > Subject: Re: [NTLUG:Discuss] static NAT?
> >
> >
> > > That is exactly what I am looking for, but I have been trying to determine
> > > what the "broadcast" is doing, and I am not sure what the "new broadcast"
> > > should be.
> > >
> > > Let's take as an example
> > > WAN IP: 216.224.237.34 (existing server)
> > > WAN Virtual IP: 216.224.237.55 (virtual IP)
> > > WAN subnetmask: 255.255.255.224
> > > LAN 192.168.12.99 (non routable lan IP).
> > > LAN subnetmask: 255.255.255.0
> > >
> > > I want to route 216.224.237.55 directly to 192.168.12.99.
> > > ifconfig ethX:1 216.224.237.55 netmask 255.255.255.0 broadcast 192.168.1.255
> > > iptables -t nat -A PREROUTING -d 216.224.237.55
> > >
> > > I also will want to block connections to that port except through
> > > perhaps ports 80 and 21.
> > >
> > > I am testing. Thanks for the info.
> > >
> > > Bob Byron
> > >
> > > ----- Original Message -----
> > > From: "Paul Ingendorf" <pauldy at wantek.net>
> > > To: <discuss at ntlug.org>
> > > Sent: Wednesday, February 06, 2002 11:47 AM
> > > Subject: Re: [NTLUG:Discuss] static NAT?
> > >
> > >
> > > >
> > > > 1.)
> > > >
> > > > ifconfig ethX:1 <ext ip> netmask <newnetmask> broadcast <new brodcast>
> > > >
> > > > Where X is the number of the external interface.
> > > >
> > > > 2.)
> > > >
> > > > Then you should use something like so.
> > > > iptables -t nat -A PREROUTING -d <ext ip> -j DNAT --to <int ip>
> > > >
> > > >
> > > >
> > > > Quoting Bob Byron <bbyron at radit.com>:
> > > >
> > > > > I have a linux server acting as a firewall with a private non-routable
> > > > >
> > > > > network (lan) on one side and the internet (wan) on the other. I have
> > > > >
> > > > > a number of ip addresses and want to be able to take one machine on
> > > > > the lan and make it addressable from the outside. I am using IP
> > > > > tables
> > > > > and the private network is being \"NAT\"ed. So, I suspect I have to
> > > > > do two things.
> > > > >
> > > > > 1) Tell my NIC card on the wan side to accept a second (virtual)
> > > > > IP address.
> > > > >
> > > > > 2) I need to have the firewall stiaticly translate the lan machine
> > > > > using
> > > > > that address.
> > > > >
> > > > > Any ideas how to do that?
> > > > >
> > > > > Thanks,
> > > > > Bob Byron
> > > > >
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > http://www.ntlug.org/mailman/listinfo/discuss
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > -->> mailto:pauldy at wantek.net
> > > > -->> http://www.wantek.net/
> > > > Running ....... Cos anything else would be a waste...
> > > > `:::\\\\\\\' ....... ......
> > > > ::: * `::. ::\\\\\\\'
> > > > ::: .:: .:.::. .:: .:: `::. :\\\\\\\'
> > > > ::: :: :: :: :: :: :::.
> > > > ::: .::. .:: ::. `::::. .:\\\\\\\' ::.
> > > > :::.....................::\\\\\\\' .::::..
> > > >
> > > > _______________________________________________
> > > > http://www.ntlug.org/mailman/listinfo/discuss
> > >
> > >
> > >
> > > _______________________________________________
> > > http://www.ntlug.org/mailman/listinfo/discuss
> > >
> >
> >
> >
> > _______________________________________________
> > http://www.ntlug.org/mailman/listinfo/discuss
> >
> >
> > _______________________________________________
> > http://www.ntlug.org/mailman/listinfo/discuss
> >
>
>
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
More information about the Discuss
mailing list