On 06/04/07 11:28, William Bohannan wrote:
Works well except I cannot for the life of me get NAT working. I have
the following setup:
Good.
### Network Interface script
# /etc/init.d/network/interfaces
auto lo
iface lo inet loopback
auto br0
iface br0 inet static
address 193.xxx.xxx.77
netmask 255.255.255.128
network 193.xxx.xxx.0
broadcast 193.xxx.xxx.127
gateway 193.xxx.xxx.126
pre-up /sbin/ip link set eth0 up
pre-up /sbin/ip link set eth1 up
pre-up /usr/sbin/brctl addbr br0
pre-up /usr/sbin/brctl addif br0 eth0
pre-up /usr/sbin/brctl addif br0 eth1
What would happen if you added additional address, netmask, network,
broadcast, and gateway lines? Would that allow you to have aliases
defined in this manner, or would it simply over ride the existing settings?
### Simple script to start at boot
# /etc/init.d/brouter.init
echo "Bringing up NAT"
ip addr add 10.10.1.254/24 dev br0
iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
route add -net -n 0.0.0.0 dev br0
#enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Hum, this looks like you will be MASQUERADEing any and all traffic that
leaves br0. I'm betting that you are MASQUERADEing some traffic that
you do not want to MASQUERADE.
Please advise.
You need to selectively MASQUERADE traffic that is leaving your br0
interface. I.e. MASQUERADE any traffic that is leaving your network
headed to the world.
You can accomplish this a couple of different ways (possibly more).
1) MASQUERADE any traffic that is not destined to your internal
network. In other words MASQUERADE any traffic that is leaving your
network. I.e.
iptables -t nat -A POSTROUTING -o br0 -d ! 10.10.1.0/24 -j MASQUERADE
(If I have that IPTables syntax correct. You get the idea.)
2) MASQUERADE any traffic that is leaving the physical interface that
is facing the internet via the physdev IPTables match extension.
(Sorry, I have no experience with this option.)
Personally, I would try to do it based on destination IP address rather
than physical interface for various reasons that are not really
pertinent here.
Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc