On Monday 26 July 2004 1:13 pm, FrÃdÃric Gonzatti wrote:
> Thanks for your answer but if I understand whant you mean, I have only to
> add the following line in my iptables script :
> iptables -A POSTROUTING -t nat -o eth2 -j DNAT --to 62.160.X.Y
Please note the correction posted by Jason Opperisano - I typed a D instead of
an S:
iptables -A POSTROUTING -t nat -o eth2 -j SNAT --to 62.160.X.Y
> With this line the computers on my LAN and my DMZ will allow to exit to the
> Internet ??
Yes.
> With the two following lines will it work ?
> iptables -t nat POSTROUTING -s 172.16.0.0/16 -o eth2 -j MASQUERADE
> iptables -t nat POSTROUTING -s 192.168.2.0/24 -o eth2 -j MASQUERADE
Yes, that would work as well, but:
1. Why do you want to specify the source addresses? Do you have any other
subnets on the inside of your firewall (if not, why bother to specify, if
yes, don't you want those other addresses to have access to the Internet?)
2. Do you have a dynamic (DHCP) address on eth2? If so, then MASQUERADE is
the correct target, but if ti's a static address, SNAT is marginally more
efficient.
Regards,
Antony.
--
If J. Random Websurfer clicks on a button that promises dancing pigs on his
computer monitor, and instead gets a hortatory message describing the
potential dangers of the applet - he's going to choose dancing pigs over
computer security any day. If the computer prompts him with a warning screen
like: "The applet DANCING PIGS could contain malicious code that might do
permanent damage to your computer, steal your life's savings, and impair your
ability to have children," he'll click "OK" without even reading it. Thirty
seconds later he won't even remember that the warning screen even existed.
- Bruce Schneier "Secrets and Lies"
Please reply to the list;
please don't CC me.
