[lug] help with iptables
Zan Lynx
zlynx at acm.org
Tue Feb 22 16:24:46 MST 2011
Place a rule just before the SNAT rule that does something else with the
excluded traffic.
In your case you would just -j ACCEPT it.
If you were using a new chain to do the NAT processing you could -j
RETURN to pop back to the previous chain.
On 2/22/11 4:00 PM, Carl Wagner wrote:
> Hi,
>
> I have an application where I need to do SourceNAT, but don't want to
> change the source IP for traffic originating on the local box.
>
> This is the script I am using to try to allow the servers out to the
> Internet:
>
> ======
> #!/bin/bash
> # Delete and flush. Default table is "filter". Others like "nat" must be
> explicitly stated.
> iptables --flush # Flush all the rules in filter
> and nat tables
> iptables --table nat --flush
> iptables --delete-chain # Delete all chains that are
> not in default filter and nat table
> iptables --table nat --delete-chain
>
> # Set up IP FORWARDing and Source-NAT
> iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT
> --to {a public IP behind a firewall}
> iptables --append FORWARD --in-interface eth1 -j ACCEPT
>
> echo 1> /proc/sys/net/ipv4/ip_forward # Enables packet forwarding by
> kernel
> =======
>
> How would I exclude the local boxes IP's/localhost from the SourceNAT?
>
> Thanks,
> Carl
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
--
Zan Lynx
zlynx at acm.org
"Knowledge is Power. Power Corrupts. Study Hard. Be Evil."
More information about the LUG
mailing list