[lug] help with iptables

Carl Wagner carl.wagner at verbalworld.com
Tue Feb 22 17:18:08 MST 2011


Thanks Zan.

This works:
   iptables -t nat -A POSTROUTING -s {local IP of this box} -o eth0 -j ACCEPT

Is there something more generic that I can use for -s, like "IP address of eth0" ?
(otherwise I will need slightly a slightly different firewall script on my two load balancers.

Carl



On 02/22/2011 04:24 PM, Zan Lynx wrote:

> Place a rule just before the SNAT rule that does something else with the
> excluded traffic.
>
> In your case you would just -j ACCEPT it.
>
> If you were using a new chain to do the NAT processing you could -j
> RETURN to pop back to the previous chain.
>
> On 2/22/11 4:00 PM, Carl Wagner wrote:
>> Hi,
>>
>> I have an application where I need to do SourceNAT, but don't want to
>> change the source IP for traffic originating on the local box.
>>
>> This is the script I am using to try to allow the servers out to the
>> Internet:
>>
>> ======
>> #!/bin/bash
>> # Delete and flush. Default table is "filter". Others like "nat" must be
>> explicitly stated.
>> iptables --flush                        # Flush all the rules in filter
>> and nat tables
>> iptables --table nat --flush
>> iptables --delete-chain                  # Delete all chains that are
>> not in default filter and nat table
>> iptables --table nat --delete-chain
>>
>> # Set up IP FORWARDing and Source-NAT
>> iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT
>> --to {a public IP behind a firewall}
>> iptables --append FORWARD --in-interface eth1 -j ACCEPT
>>
>> echo 1>   /proc/sys/net/ipv4/ip_forward   # Enables packet forwarding by
>> kernel
>> =======
>>
>> How would I exclude the local boxes IP's/localhost from the SourceNAT?
>>
>> Thanks,
>> Carl
>> _______________________________________________
>> Web Page:  http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>




More information about the LUG mailing list