Again between lines... On 7/4/05, /dev/rob0 <rob0@xxxxxxxxx> wrote: > On Monday 04 July 2005 11:54, Lluís Batlle wrote: > > > >>NE1=192.168.16.0/28 > > > >>NE2=192.168.17.0/28 > > > > > > Let's see, those are .0-.15 on the last quad. > > > > > > >>NLOCAL=192.168.0.0/20 > > > > > > And this is 0.0 through 15.255 ... IOW, wrong, excluding both $NE1 > > > and $NE2. Try 192.168.16.0/23. It would not hurt for you to brush > > > up on TCP/IP and subnetting basics. > > > > Oh. Is it wrong? I don't understand what's "IOW". Where should I try > > your proposed subnet? why? > > IOW="in other words", a common Internet shorthand. > > 192.168.0.0/20, set as $NLOCAL in your iptables script, excludes your > IP addresses and networks. No packet hitting the rules which refer to > that value will match, so the rules are ignored. Why? in the LAN (eth0, 192.168.0.0/20) there are many computers... if I change it to 192.168.0.0/16, eth1 and eth2 _won't_ be appart subnetworks! It's important to them to be excluded. IOW, there must be no intersection between the networks of the different NICs. > > The rules to which I am referring: > $IPTABLES -t nat -A POSTROUTING -o eth1 -s $NLOCAL -j SNAT --to $IPE1 > $IPTABLES -t nat -A POSTROUTING -o eth2 -s $NLOCAL -j SNAT --to $IPE2 > Your SNAT rules. > > Change "NLOCAL=192.168.0.0/20" to "NLOCAL=192.168.0.0/16", or as > previously suggested, "NLOCAL=192.168.16.0/23". I suppose you could > even omit the source specification altogether: > $IPTABLES -t nat -A POSTROUTING -o eth1 -j SNAT --to $IPE1 > $IPTABLES -t nat -A POSTROUTING -o eth2 -j SNAT --to $IPE2 Will, that way, the kernel maintain connection-tables for SNAT even for local connections? > ### Kids, don't try this at home. Professional stunt driver on a > ### closed track. > iptables -N InputLogDrop > iptables -N ForwardAllow > iptables -A InputLogDrop -j ACCEPT > iptables -A FORWARD -j InputLogDrop > iptables -A ForwardAllow -j LOG > iptables -A ForwardAllow -p tcp -j REJECT > iptables -A ForwardAllow -j DROP > iptables -A INPUT -j ForwardAllow > ### For my next trick, I will campaign to be elected Prime Minister. > ### Thank you for your support in the polls. :))) > Perhaps it doesn't break anything, but I have read here that only > packets of --state NEW hit the -t nat PREROUTING chain. I don't know > about the relationship between connection tracking and NAT. Can you give a link about that? > > "RFC 1918 netblocks" is simply another form of shorthand to refer to > IPv4 ranges which are reserved for private use, namely 10.0.0.0/8, > 172.16.0.0/12, and 192.168.0.0/16. I rarely read RFC's myself (but I > must confess to a fondness for RFC 1149. :) ) Hahaha :)
