Op vrijdag 6 juni 2003 00:56, schreef u:
> On June 5, 2003 01:54 pm, Pascal Italiaander wrote:
> > Op donderdag 5 juni 2003 19:51, schreef u:
> > > Op donderdag 5 juni 2003 15:29, schreef Ray Leach:
> > > > On Thu, 2003-06-05 at 13:38, Dharmendra.T wrote:
> > > > > On Thu, 2003-06-05 at 15:26, Paulo Andre wrote:
> > > > > I would like to do the following:
> > > > >
> > > > > Stop MASQUESRADING to two servers say. 10.10.10.5 and
> > > > > 10.10.10.8, how would i do this with a rule.
> > > > >
> > > > > iptables -t nat -A POSTROUTING -s x.x.x.x -d ! 'servers ip'
> > > > > -j MASQUERADE now how would i put in two ip address's ?
> > >
> > > Ok , you could do something like this:
> >
> > sorry in the first reply was an error !!
> > this is fixed now.
> >
> > NO_MASK="10.10.10.5 10.10.10.8"
> >
> > if [ ${NO_MASK} != "" ] ; then
> > for nomask in ${NO_MASK}; do
> > iptables -t nat -A POSTROUTING -s x.x.x.x -d ! ${nomask} -j MASQUERADE
> > done;
> > fi
> >
> > > this is a bit more flexible, cause , you can ad more ip's the NO_MASK
> > > easily without changing the rule itself, or have to write a new line.
> >
> > Pascal
>
> I somehow don't think this will do what we want here.
> rule 1 from this loop will MASQUERADE any ip that is
> NOT 10.10.10.5, which unfortunately includes 10.10.10.8
> and rule #2 will never be hit by the 10.10.10.8 packet.
>
> I would suggest that we want to take the entire segment
> and manage it separately, but I have no experience with
> creating user chains in the nat table, although this *might*
> work -- ymmv
>
>
> iptables -t nat -N masq_filter
> iptables -t nat -A POSTROUTING -s x.x.x.x -d 10.10.10.0/24 -j masq_filter
> # the above line includes an assumption that MIGHT BE WRONG!!!! I dont know
> # what your netmask is!!!!!!!!!
> iptables -t nat -A masq_filter -d 10.10.10.5 -j RETURN
> iptables -t nat -A masq_filter -d 10.10.10.8 -j RETURN
> iptables -t nat -A masq_filter -j MASQUERADE
>
> filling in out the ips to NOT masquerade one at a time, perhaps with a
> loop as pascal suggests above, with appropriate modifications...
Yes correct , now you mention it , I see it also.
2 lines where added to the filter-list and would not traverse the firewall if
IP was 10.10.10.8
however the syntax could be reused, with this modification.
So combined the information together we get this example;
MASQ="yes' #Do you need masquerading ?
NO_MASK="10.10.10.5 10.10.10.8" #IP's who don't need masquerading(watch the
single-space)
INET="10.10.10.0/24" #Local network + subnet
EX_IF="eth0" #External interface
if [ ${MASQ} == "yes" ]; then
if [ ${NO_MASK} != "" ] ; then
for nomask in ${NO_MASK}; do
iptables -t nat -A POSTROUTING -s x.x.x.x -d ! ${nomask} -j RETURN
iptables -A POSTROUTING -t nat -s ${INET} -o ${EX_IF} -j MASQUERADE
done;
else
iptables -A POSTROUTING -t nat -s ${INET} -o ${EX_IF} -j MASQUERADE
fi
greetings Pascal
have fun
