[lug] Iptables

[Dan Ferris]

I do have to SNAT every IP.  We aren't doing Masquerading on that range 
of IPs.  We are doing 1:1 NAT.  Masquerading will change everything to 
the Firewalls IP which will completely hose the network.  DNAT won't NAT 
any connections if the server in 10.2.253 subnet initiates a connection.

Sean, thanks for the tip on rp_filter.  That might be it.  I think it's 
on by default in the 2.6 kernels.  I thought about it but forgot to 
disable it the other day when I was helping my friend with this firewall.

I also read that you have to do something like this for each IP you want 
to NAT:

ip address add 204.184.20.221 dev eth2 and so on.  I also did that and 
nothing, so maybe it's the rp_filter.

Dan

David L. Anselmi wrote:
> Dan Ferris wrote:
>> Hello list,
>>
>> I have the following in an iptables setup:
>> Chain PREROUTING (policy ACCEPT 41 packets, 4193 bytes)
>> pkts bytes target     prot opt in     out     source               
>> destination
>>    0     0 DNAT       all  --  *      *       0.0.0.0/0            
>> 204.184.20.221      to:10.2.253.21
>
> So it looks like packets are hitting the chain, just not matching a 
> rule.  What command did you use to set these up (one DNAT and 
> corresponding SNAT should do)?
>
> You don't have to SNAT every IP.  Just masquerading everything will 
> work (and applies to connections initiated by the servers--DNAT should 
> take care of both directions for incoming connections).  In fact, 
> maybe attacking one rule for one server at a time would help.
>
> I assume the firewall has aliases for all the 204.x addresses on its 
> outside interface.
>
> Dave
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
>

-- 
What do you call a guy with no legs who is waterskiing?


Skip.