On June 5, 2003 07:56 pm, Pascal Italiaander wrote:
> Op vrijdag 6 juni 2003 00:56, schreef u:
> > On June 5, 2003 01:54 pm, Pascal Italiaander wrote:
> > > Op donderdag 5 juni 2003 19:51, schreef u:
> > > > Op donderdag 5 juni 2003 15:29, schreef Ray Leach:
> > > > > On Thu, 2003-06-05 at 13:38, Dharmendra.T wrote:
> > > > > > On Thu, 2003-06-05 at 15:26, Paulo Andre wrote:
> > > > > > I would like to do the following:
> > > > > >
> > > > > > Stop MASQUESRADING to two servers say. 10.10.10.5 and
> > > > > > 10.10.10.8, how would i do this with a rule.
> > > > > >
> > > > > > iptables -t nat -A POSTROUTING -s x.x.x.x -d ! 'servers
> > > > > > ip' -j MASQUERADE now how would i put in two ip address's ?
> > > >
> > > > Ok , you could do something like this:
> > >
> > > sorry in the first reply was an error !!
> > > this is fixed now.
> > >
> > > NO_MASK="10.10.10.5 10.10.10.8"
> > >
> > > if [ ${NO_MASK} != "" ] ; then
> > > for nomask in ${NO_MASK}; do
> > > iptables -t nat -A POSTROUTING -s x.x.x.x -d ! ${nomask} -j
> > > MASQUERADE done;
> > > fi
> > >
> > > > this is a bit more flexible, cause , you can ad more ip's the NO_MASK
> > > > easily without changing the rule itself, or have to write a new line.
> > >
> > > Pascal
> >
> > I somehow don't think this will do what we want here.
> > rule 1 from this loop will MASQUERADE any ip that is
> > NOT 10.10.10.5, which unfortunately includes 10.10.10.8
> > and rule #2 will never be hit by the 10.10.10.8 packet.
> >
> > I would suggest that we want to take the entire segment
> > and manage it separately, but I have no experience with
> > creating user chains in the nat table, although this *might*
> > work -- ymmv
> >
> >
> > iptables -t nat -N masq_filter
> > iptables -t nat -A POSTROUTING -s x.x.x.x -d 10.10.10.0/24 -j masq_filter
> > # the above line includes an assumption that MIGHT BE WRONG!!!! I dont
> > know # what your netmask is!!!!!!!!!
> > iptables -t nat -A masq_filter -d 10.10.10.5 -j RETURN
> > iptables -t nat -A masq_filter -d 10.10.10.8 -j RETURN
> > iptables -t nat -A masq_filter -j MASQUERADE
> >
> > filling in out the ips to NOT masquerade one at a time, perhaps with a
> > loop as pascal suggests above, with appropriate modifications...
>
> Yes correct , now you mention it , I see it also.
> 2 lines where added to the filter-list and would not traverse the firewall
> if IP was 10.10.10.8
>
> however the syntax could be reused, with this modification.
> So combined the information together we get this example;
>
> MASQ="yes' #Do you need masquerading ?
> NO_MASK="10.10.10.5 10.10.10.8" #IP's who don't need masquerading(watch the
> single-space)
> INET="10.10.10.0/24" #Local network + subnet
> EX_IF="eth0" #External interface
>
> if [ ${MASQ} == "yes" ]; then
> if [ ${NO_MASK} != "" ] ; then
> for nomask in ${NO_MASK}; do
> iptables -t nat -A POSTROUTING -s x.x.x.x -d ! ${nomask} -j RETURN
> iptables -A POSTROUTING -t nat -s ${INET} -o ${EX_IF} -j MASQUERADE
> done;
> else
> iptables -A POSTROUTING -t nat -s ${INET} -o ${EX_IF} -j MASQUERADE
> fi
>
> greetings Pascal
> have fun
Now we're getting somewhere, but you need to take out the !
iptables -t nat -A POSTROUTING -s x.x.x.x -d ! ${nomask} -j RETURN
should be
iptables -t nat -A POSTROUTING -s x.x.x.x -d ${nomask} -j RETURN
--
Alistair Tonner
nerdnet.ca
Senior Systems Analyst - RSS
Any sufficiently advanced technology will have the appearance of magic.
Lets get magical!
