iptables masquerading 3 localnet

Carles Pina i Estany is08139@salleURL.edu
Mon, 26 Feb 2001 22:45:25 +0000 (GMT)


Hi,


Tomorrow I will test it. But I don't understand.

I want don't Masquerade if the destination is:
100.200.300.x
100.200.301.x
10.x.y.z

The source always are from 10.9.x.y (If I remember well). Then, depend of
destination, I will masquerade or only forward.

I don't understand what do you do with your rules :-(

Thank you very much

On Mon, 26 Feb 2001, Chapman Brad wrote:

> Mr. Estany,
>
> 	Sorry :-(
>
> 	Remember, the FORWARD chain carries all
> de-masqueraded and un-masqueraded packets. Therefore,
> I need to change the rules slightly. I don't usually
> do things in the FORWARD chain; I prefer using the
> POSTROUTING chain and leaving the FORWARD chain alone.
> Thus, you should do this:
>
> iptables -t filter -P FORWARD ACCEPT
>
> iptables -t nat -P POSTROUTING ACCEPT
>
> iptables -t nat -A POSTROUTING -o ! ppp0 -j RETURN
>
> iptables -t nat -A POSTROUTING -p tcp -s 100.200.300.0
> -o ppp0 -j MASQUERADE
> iptables -t nat -A POSTROUTING -p udp -s 100.200.300.0
> -o ppp0 -j MASQUERADE
>
> iptables -t nat -A POSTROUTING -p tcp -s 100.200.301.0
> -o ppp0 -j MASQUERADE
> iptables -t nat -A POSTROUTING -p udp -s 100.200.301.0
> -o ppp0 -j MASQUERADE
>
> iptables -t nat -A POSTROUTING -p tcp -s 10.0.0.0 -o
> ppp0 -j MASQUERADE
> iptables -t nat -A POSTROUTING -p udp -s 10.0.0.0 -o
> ppp0 -j MASQUERADE
>
> iptables -t nat -A POSTROUTING -o ppp0 -j DROP
>
> 	These commands set the policy of the FORWARD chain to
> ACCEPT, and the POSTROUTING chain's policy to ACCEPT.
> It then masquerades all TCP and UDP traffic leaving on
> ppp0 with the aforementioned source networks, then
> drops all traffic not from those threee networks. Try
> these commands; they shoudl work. If not, write back
> and tell me what broke ;-)
>
> Brad
> 
> --- Carles Pina i Estany <is08139@salleURL.edu> wrote:
> >
> >
> > Hi,
> >
> > Today I test it. Don't work :-(
> >
> > The situation, remember that it is:
> > -Forward to 100.200.300.x
> > -Forward to 100.200.301.x
> > -Forward to 10.x.y.z
> > -Masquerade other IP's
> >
> > I test:
> >
> > iptables -F
> > iptables -t nat -F
> > iptables -P INPUT ACCEPT
> > iptables -P FORWARD DROP
> > iptables -P OUTPUT ACCEPT
> >
> > iptables -A FORWARD -p tcp -s 10.0.0.0/255.0.0.0 -d
> > \
> > 	100.200.300.0/255.255.255.0 -i eth0 -j ACCEPT
> >
> > iptables -A FORWARD -p tcp -s 10.0.0.0/255.0.0.0 -d
> > \
> > 	100.200.300.0/255.255.255.0 -i eth0 -j ACCEPT
> >
> > iptables -A FORWARD -p tcp -s 10.0.0.0/255.0.0.0 -d
> > \
> > 	10.0.0.0/255.0.0.0 -i eth0 -j ACCEPT
> >
> > iptables -A FORWARD -m state --state
> > ESTABLISHED,RELATED -j ACCEPT
> >
> > iptables -t nat -s 10.0.0.0/255.0.0.0 -A POSTROUTING
> > -o \
> > 	eth0 -j SNAT --to IP_OF_SERVER
> >
> > I think that with this configuration Internet don't
> > work (then, there are
> > not masquerading ¿?) and the "local" ip's are
> > forwarded.
> >
> > I test a lot of things, sometimes Internet work but
> > I do Masquerading to
> > local IP's or Internet don't work and local ip's are
> > forwarded (not
> > masqueraded)
> >
> > Thank you very much
> >
> > On Sat, 24 Feb 2001, Chapman Brad wrote:
> >
> > > Mr. Estany,
> > >
> > > 	If you use a policy of DROP for the FORWARD
> > chain,
> > > then you need this line:
> > >
> > > iptables -t filter -A FORWARD -p icmp -j ACCEPT
> > >
> > > 	This will allow ICMP packets. You will also need
> > to
> > > add the -p tcp or -p udp argument to the first
> > rule
> > > command you showed me (-d 130.206.42.0).
> > >
> > > 	Also, the reason why you need that state command
> > is
> > > also because the default policy of FORWARD is
> > DROP.
> > > That command lets everything and anything in.
> > > Setting FORWARD to DROP also takes care of
> > anything
> > > not explicitly let in. If you still need help,
> > I'll
> > > attach my firewall script to an e-mail and let you
> > > look at it.
> > >
> > > Hope this helps,
> > >
> > > Brad
> > >
> > > --- Carles Pina i Estany <is08139@salleURL.edu>
> > wrote:
> > > >
> > > > Hi,
> > > >
> > > > Yes, it's a good system. Today we test something
> > as:
> > > >
> > > > iptables -P FORWARD DROP
> > > > iptables -A FORWARD -s 10.0.0.0/255.0.0.0 -d
> > > > 130.206.42.0/255.255.255.0 -j
> > > > ACCEPT
> > > >
> > > > Then, we test a ping. Don't work (?)
> > > > With FORWARD policy to Accept works fine.
> > > >
> > > > Now, in my home, I test it (with my home lan and
> > ppp
> > > > connection). To
> > > > Masquerade with de policy of forward REJECT, I
> > must
> > > > use this line:
> > > >
> > > > iptables -A FORWARD -m state --state
> > > > ESTABLISHED,RELATED -j ACCEPT
> > > >
> > > > Why?
> > > >
> > > > If I don't use it, with only :
> > > > iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT
> > > > Don't FORWARD the pings.
> > > >
> > > > I suppose that it is a problem with "how" the
> > packet
> > > > goes from ppp0 to
> > > > eth0... but I don't understand very well the
> > rule.
> > > >
> > > > Thank you very much, monday I will test it on
> > server
> > > >
> > > >
> > > > On Fri, 23 Feb 2001, Chapman Brad wrote:
> > > >
> > > > > Mr. Estany,
> > > > >
> > > > > 	I see. You want to do this:
> > > > >
> > > > > iptables -t filter -A FORWARD -d 100.200.300.0
> > -i
> > > > eth0
> > > > >
> > > > > -j ACCEPT
> > > > > iptables -t filter -A FORWARD -d 100.200.301.0
> > -i
> > > > eth0
> > > > > -j ACCEPT
> > > > > iptables -t filter -A FORWARD -d 10.0.0.0 -i
> > eth0
> > > > > -j ACCEPT
> > > > >
> > > > > iptables -t nat -A POSTROUTING -i eth0 -j
> > > > MASQUERADE
> > > > >
> > > > > 	The first three lines directly forward any
> > > > addresses
> > > > > in the 100.200.30x.x and 10.x.x.x networks, in
> > > > case
> > > > > FORWARD is set to DROP. The last rule
> > masquerades
> > > > all
> > > > > remianing traffic. If you;re dealing with a
> > > > different
> > > > > interface, then change the -i eth0 switch to
> > read
> > > > -i
> > > > > <interface>.
> > > > >
> > > > > Hope this helps,
> > > > >
> > > > > Brad
> > > > >
> > > > > --- Carles Pina i Estany
> > <is08139@salleURL.edu>
> > > > wrote:
> > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > We use iptables. We must do:
> > > > > > "If the destination is 100.200.300.x or
> > > > > > 100.200.301.x or 10.x.y.z (local
> > > > > > networks) we must do FORWARD. Else,
> > > > Masquerading".
> > > > > >
> > > > > > With ipchains we insert the rules on
> > FORWARD,
> > > > and
> > > > > > the last rule was
> > > > > > MASQUERADING. Then, if there are not FORWARD
> > to
> > > > > > 100.200.300.x or FORWARD
> > > > > > to 100.200.301.x or FORWARD 10.x.y.z. Else,
> > > > > > MASQUERADING".
> > > > > >
> > > > > > But, with iptables I don't understand how do
> > it.
> > > > > > What POLICY I can set
> > > > > > to do it in POSTROUTING? I do some tests,
> > but
> > > > don't
> > > > > > work well...
> > > > > >
> > > > > > If you like after I can send all tests :-)
> > > > > >
> > > > > > Thank you very much!
> > > > > >
> > > > > > ----
> >
> === message truncated ===
>
>
> __________________________________________________
> Do You Yahoo!?
> Get email at your own domain with Yahoo! Mail.
> http://personal.mail.yahoo.com/
>

----
Carles Pina i Estany
   E-Mail: cpina@linuxfan.com || #ICQ: 14446118 || Nick: Pinux
   URL: http://www.salleurl.edu/~is08139
   Pues si no te encuentras bien, búscate mejor. (c)JMR/95