[lug] Iptables

Zan Lynx zlynx at acm.org
Sun Aug 6 19:23:31 MDT 2006


On Sun, 2006-08-06 at 17:28 -0600, Dan Ferris wrote:
> I do have to SNAT every IP.  We aren't doing Masquerading on that range 
> of IPs.  We are doing 1:1 NAT.  Masquerading will change everything to 
> the Firewalls IP which will completely hose the network.  DNAT won't NAT 
> any connections if the server in 10.2.253 subnet initiates a connection.
> 
> Sean, thanks for the tip on rp_filter.  That might be it.  I think it's 
> on by default in the 2.6 kernels.  I thought about it but forgot to 
> disable it the other day when I was helping my friend with this firewall.
> 
> I also read that you have to do something like this for each IP you want 
> to NAT:
> 
> ip address add 204.184.20.221 dev eth2 and so on.  I also did that and 
> nothing, so maybe it's the rp_filter.

I've never heard of needing to do that.  It sounds like a bad
replacement for proxy ARP.

If this router is known to each network as the router for the target
network (as known by original IP before NAT), it shouldn't need proxy
ARP tricks.

And I assume that this router has correct routing tables?  NAT is all
well and good but the routing must work too.

Also I looked again at your rules from your first post and I think it
would be better if you had in/out interface limits on each rule.  In on
the preroute, out on the postroute, I believe.
-- 
Zan Lynx <zlynx at acm.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20060806/7aa3bede/attachment.pgp>


More information about the LUG mailing list