[NTLUG:Discuss] static NAT?
Bob Byron
bbyron at radit.com
Fri Feb 8 12:12:49 CST 2002
Fantastic, thanks for all of your help Paul! As you mentioned, I needed
to make sure the rule preceededmy MASQUERADE rule. That will be
very advantages for me to now be able to control certain machines
instead of just putting them outside the firewall. Everything is working.
Bob
----- Original Message -----
From: "Paul Ingendorf" <pauldy at wantek.net>
To: <discuss at ntlug.org>
Sent: Thursday, February 07, 2002 10:14 PM
Subject: RE: [NTLUG:Discuss] static NAT?
> Well I haven't done this before but this should work
>
> iptables -t nat -A POSTROUTING -s 192.168.12.99/255.255.255.255 -j SNAT --to 216.224.237.55
>
> Caveats here is that this should appear before any other rules you have like maybe MASQUERADE. Or
if your using it like you should a line like follows.
> iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.0.0 -j SNAT --to 216.224.237.34
>
> Of course this assumes you are using the full class b reserved net.
>
>
> -----Original Message-----
> From: discuss-admin at ntlug.org [mailto:discuss-admin at ntlug.org]On Behalf
> Of Bob Byron
> Sent: Thursday, February 07, 2002 1:49 PM
> To: discuss at ntlug.org
> Subject: Re: [NTLUG:Discuss] static NAT?
>
>
> Alright, this is interesting. I made the changes you mentioned and things are
> getting better. Thank You!!! Now, I need another change. When I connect
> to the WAN, I want my local client to be seen as the .55 number. That is,
> from my machine (192.168.12.99) on the LAN, I want to connect to a
> remote location such as:
> http://www.hexillion.com/samples/AspTrace.asp
> And that website would see 216.224.237.55 as my IP address. So, it is
> a static NAT translation on the way out for any connection I make from
> 192.168.12.99. Currently, if I connect from my machine to the above
> website, my servers address is displayed (216.224.237.34).
>
> Bob Byron
>
> ----- Original Message -----
> From: "Paul Ingendorf" <pauldy at wantek.net>
> To: <discuss at ntlug.org>
> Sent: Wednesday, February 06, 2002 11:48 PM
> Subject: RE: [NTLUG:Discuss] static NAT?
>
>
> > First the broadcast addr of the ifconfig is incorrect it should probably match that if the first
> interface addr you have. Try ifconfig without any args and it should report back to you the
> appropriate config for the broadcast and netmask. Also I'm sure that ethX is not an interface on
> your machine it should probably be eth0 or eth1 so the command would be like
> >
> > ifconfig eth0:1 x.x.x.x netmask x.x.x.x broadcast x.x.x.x
> >
> > Again here x should be replaced by the Ip addr the netmask and the broadcast.
> >
> > You mention you would simply like to do the ports for FTP and HTTP so I would probably change
the
> iptables commands as follows as the previous ones should simply forward everything to the second
ip
> addr.
> >
> > iptables -t nat -D PREROUTING -d 216.224.237.55 -j DNAT --to 192.168.12.99 # removes the previos
> rule
> >
> > iptables -t nat -A PREROUTING -d 216.224.237.55 -p tcp --dport 20 -j DNAT --to 192.168.12.99
> > iptables -t nat -A PREROUTING -d 216.224.237.55 -p tcp --dport 21 -j DNAT --to 192.168.12.99
> > iptables -t nat -A PREROUTING -d 216.224.237.55 -p tcp --dport 80 -j DNAT --to 192.168.12.99
> > iptables -t nat -A PREROUTING -d 216.224.237.55 -p tcp --dport 443 -j DNAT --to 192.168.12.99
> >
> >
> > -----Original Message-----
> > From: discuss-admin at ntlug.org [mailto:discuss-admin at ntlug.org]On Behalf
> > Of Bob Byron
> > Sent: Wednesday, February 06, 2002 10:29 PM
> > To: discuss at ntlug.org
> > Subject: Re: [NTLUG:Discuss] static NAT?
> >
> >
> > Well, I was testing the configuration and when I connect to
> > 216.224.237.55, I seem to get a connection to the server
> > (216.224.237.34) and not to 192.168.12.99.
> >
> > Oh, and in the last email where I mentioned the commands I executed,
> > I meant to say I executed the commands:
> >
> > ifconfig ethX:1 216.224.237.55 netmask 255.255.255.0 broadcast 192.168.12.255
> > iptables -t nat -A PREROUTING -d 216.224.237.55 -j DNAT --to 192.168.12.99
> >
> > Bob Byron
> >
> > ----- Original Message -----
> > From: "Bob Byron" <bbyron at radit.com>
> > To: <discuss at ntlug.org>
> > Sent: Wednesday, February 06, 2002 9:42 PM
> > Subject: Re: [NTLUG:Discuss] static NAT?
> >
> >
> > > That is exactly what I am looking for, but I have been trying to determine
> > > what the "broadcast" is doing, and I am not sure what the "new broadcast"
> > > should be.
> > >
> > > Let's take as an example
> > > WAN IP: 216.224.237.34 (existing server)
> > > WAN Virtual IP: 216.224.237.55 (virtual IP)
> > > WAN subnetmask: 255.255.255.224
> > > LAN 192.168.12.99 (non routable lan IP).
> > > LAN subnetmask: 255.255.255.0
> > >
> > > I want to route 216.224.237.55 directly to 192.168.12.99.
> > > ifconfig ethX:1 216.224.237.55 netmask 255.255.255.0 broadcast 192.168.1.255
> > > iptables -t nat -A PREROUTING -d 216.224.237.55
> > >
> > > I also will want to block connections to that port except through
> > > perhaps ports 80 and 21.
> > >
> > > I am testing. Thanks for the info.
> > >
> > > Bob Byron
> > >
> > > ----- Original Message -----
> > > From: "Paul Ingendorf" <pauldy at wantek.net>
> > > To: <discuss at ntlug.org>
> > > Sent: Wednesday, February 06, 2002 11:47 AM
> > > Subject: Re: [NTLUG:Discuss] static NAT?
> > >
> > >
> > > >
> > > > 1.)
> > > >
> > > > ifconfig ethX:1 <ext ip> netmask <newnetmask> broadcast <new brodcast>
> > > >
> > > > Where X is the number of the external interface.
> > > >
> > > > 2.)
> > > >
> > > > Then you should use something like so.
> > > > iptables -t nat -A PREROUTING -d <ext ip> -j DNAT --to <int ip>
> > > >
> > > >
> > > >
> > > > Quoting Bob Byron <bbyron at radit.com>:
> > > >
> > > > > I have a linux server acting as a firewall with a private non-routable
> > > > >
> > > > > network (lan) on one side and the internet (wan) on the other. I have
> > > > >
> > > > > a number of ip addresses and want to be able to take one machine on
> > > > > the lan and make it addressable from the outside. I am using IP
> > > > > tables
> > > > > and the private network is being \"NAT\"ed. So, I suspect I have to
> > > > > do two things.
> > > > >
> > > > > 1) Tell my NIC card on the wan side to accept a second (virtual)
> > > > > IP address.
> > > > >
> > > > > 2) I need to have the firewall stiaticly translate the lan machine
> > > > > using
> > > > > that address.
> > > > >
> > > > > Any ideas how to do that?
> > > > >
> > > > > Thanks,
> > > > > Bob Byron
> > > > >
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > http://www.ntlug.org/mailman/listinfo/discuss
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > -->> mailto:pauldy at wantek.net
> > > > -->> http://www.wantek.net/
> > > > Running ....... Cos anything else would be a waste...
> > > > `:::\\\\\\\' ....... ......
> > > > ::: * `::. ::\\\\\\\'
> > > > ::: .:: .:.::. .:: .:: `::. :\\\\\\\'
> > > > ::: :: :: :: :: :: :::.
> > > > ::: .::. .:: ::. `::::. .:\\\\\\\' ::.
> > > > :::.....................::\\\\\\\' .::::..
> > > >
> > > > _______________________________________________
> > > > http://www.ntlug.org/mailman/listinfo/discuss
> > >
> > >
> > >
> > > _______________________________________________
> > > http://www.ntlug.org/mailman/listinfo/discuss
> > >
> >
> >
> >
> > _______________________________________________
> > http://www.ntlug.org/mailman/listinfo/discuss
> >
> >
> > _______________________________________________
> > http://www.ntlug.org/mailman/listinfo/discuss
> >
>
>
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
More information about the Discuss
mailing list