Re: Two IP add

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Op vrijdag 6 juni 2003 00:56, schreef u:
> On June 5, 2003 01:54 pm, Pascal Italiaander wrote:
> > Op donderdag 5 juni 2003 19:51, schreef u:
> > > Op donderdag 5 juni 2003 15:29, schreef Ray Leach:
> > > > On Thu, 2003-06-05 at 13:38, Dharmendra.T wrote:
> > > > > On Thu, 2003-06-05 at 15:26, Paulo Andre wrote:
> > > > >         I would like to do the following:
> > > > >
> > > > >         Stop MASQUESRADING to two servers say. 10.10.10.5 and
> > > > > 10.10.10.8, how would i do this with a rule.
> > > > >
> > > > >         iptables -t nat -A POSTROUTING -s x.x.x.x -d ! 'servers ip'
> > > > > -j MASQUERADE now how would i put in two ip address's ?
> > >
> > > Ok , you could do something like this:
> >
> > sorry in the first reply was an error !!
> > this is fixed now.
> >
> >  NO_MASK="10.10.10.5 10.10.10.8"
> >
> >  if [ ${NO_MASK} != "" ] ; then
> >    for nomask in ${NO_MASK}; do
> >   	iptables -t nat -A POSTROUTING -s x.x.x.x -d ! ${nomask} -j MASQUERADE
> >  done;
> >  fi
> >
> > > this is a bit more flexible, cause , you can ad more ip's the NO_MASK
> > > easily without changing the rule itself, or have to write a new line.
> >
> >  Pascal
>
> 	I somehow don't think this will do what we want here.
> 	rule 1 from this loop will MASQUERADE any ip that is
> 	NOT 10.10.10.5, which unfortunately includes 10.10.10.8
> 	and rule #2 will never be hit by the 10.10.10.8 packet.
>
> 	I would suggest that we want to take the entire segment
> 	and manage it separately, but I have no experience with
> 	creating user chains in the nat table, although this *might*
> 	work -- ymmv
>
>
> iptables -t nat -N masq_filter
> iptables -t nat -A POSTROUTING -s x.x.x.x -d 10.10.10.0/24 -j masq_filter
> # the above line includes an assumption that MIGHT BE WRONG!!!! I dont know
> # what your netmask is!!!!!!!!!
> iptables -t nat -A masq_filter -d 10.10.10.5 -j RETURN
> iptables -t nat -A masq_filter -d 10.10.10.8 -j RETURN
> iptables -t nat -A masq_filter -j MASQUERADE
>
> 	filling in out the ips to NOT masquerade one at a time, perhaps with a
> loop as pascal suggests above, with appropriate modifications...

Yes correct , now you mention it , I see it also.
2 lines where added to the filter-list and would not traverse the firewall if 
IP was 10.10.10.8 

however the syntax could be reused, with this modification.
So combined the information together we get this example;

MASQ="yes' #Do you need masquerading ?
NO_MASK="10.10.10.5 10.10.10.8" #IP's who don't need masquerading(watch the 
single-space)
INET="10.10.10.0/24" #Local network + subnet
EX_IF="eth0" #External interface

if [ ${MASQ} == "yes" ]; then
   if [ ${NO_MASK} != "" ] ; then
        for nomask in ${NO_MASK}; do
 		iptables -t nat -A POSTROUTING -s x.x.x.x -d ! ${nomask} -j RETURN
		iptables -A POSTROUTING -t nat -s ${INET} -o ${EX_IF} -j MASQUERADE
 	done;
		else
			iptables -A POSTROUTING -t nat -s ${INET} -o ${EX_IF} -j MASQUERADE
 fi

greetings Pascal
have fun


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux