Re: IPTables again: selective NAT?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Andreas Unterkircher wrote:

Jens Knoell wrote:

Is it possible to selectively enable NAT? i.e. I want to NAT everything from 192.168.0.0/24 and nothing from 192.168.1.0/24 ...?

Thanks
J
-
: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html

> What about:
>
> iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to yourIP
>
> iptables -t nat -A POSTROUTING -j DROP
> or
> iptables -t nat -P POSTROUTING DROP
>
> Andreas

I don't quite think that'll do the job... so as requested, a clarification:

The network layout is like this:
eth0 is hooked up to the LAN and has a private IP (say, 10.0.0.1)
eth1 is hooked up to the DMZ and has a public IP (say, 12.13.14.15)

There's an IPsec gateway running on this machine for connecting outlying offices to the central office.

The machine does NAT connections to the outside world. Then there are the IPsec connections... and that's what's giving me headaches:

If an IPsec client connects to the server at 12.13.14.15, it connects the remote LAN to the office LAN. As an example, lets say I have an office in NYC which connects to my central office, say in Utah.
So:
Utah server has WAN 12.13.14.15, Utah LAN has 10.0.0.1/24
NYC IPsec router has 44.33.22.11, NYC LAN has 192.168.0.1/27

When the IPsec connection establishes, the routing table automatically adds the necessary entries. I can ping from NYC to Utah, but NOT from Utah to NYC.

The lines responsible for NAT are:
# Enable NAT
/usr/sbin/iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 12.13.14.15
# Allow NAT from inside only
/usr/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
/usr/sbin/iptables -A INPUT -m state --state NEW -i eth1 -j REJECT

As best as I can tell, the packages from the Utah server to the NYC router get NAT'ed at least by the Utah server. Which I am trying to explicitly avoid. If I throw out the first line from above, things work just fine. Since the NYC router has a static IP I figured I just disable NAT for anything going to 44.33.22.11 and should be done with it. Except that I cannot figure out how to do that :/

Does that make sense?

J
-
: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Newbie]     [Audio]     [Hams]     [Kernel Newbies]     [Util Linux NG]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Device Drivers]     [Samba]     [Video 4 Linux]     [Git]     [Fedora Users]

  Powered by Linux