You are not logged in.

#1 2006-03-31 17:19:35

stevenk
Member
Registered: 2006-01-23
Posts: 19

iptables question masquerade nat

i want to masquerade for a subnet, which is no problem using:
iptables -t nat -s 149.153.9.0/24 -A POSTROUTING -o eth0 -j SNAT --to 149.153.9.1

but i want to forward packets for one machine in that subnet, so no masquerading for that machine. this is what im trying:
iptables -A FORWARD -s 149.153.9.241 -o eth0 -j ACCEPT

but not working, i want to forward all packets for the IP instead of masquerade them.

iptables is ignoreing my forward rule because it has an already matching rule in the nat table??
so... any ideas on where im going wrong?

Offline

#2 2006-03-31 18:20:30

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: iptables question masquerade nat

do you have forwarding enabled?
I believe this is the correct path for the option.

echo 1 > /proc/sys/net/ipv4/ip_forward 

you can also add that to your sysctl and it will be active on boot.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#3 2006-04-01 11:00:01

stevenk
Member
Registered: 2006-01-23
Posts: 19

Re: iptables question masquerade nat

yeah ip_forwarding is enabled.

it either masquerades or forwards, but not a mix of both, which is what i am trying to do.

i know that iptables traverses tables or chains ( im not sure of the exact differences yet ( or the order in which they are searched) ), and when it finds a matching rule for a given packet, it stops traversing the chain as there is no need to continue. i tried to re-order the commands so that the forward rule is found before the masquerade rule, but still no luck.

Offline

#4 2006-04-01 18:48:57

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: iptables question masquerade nat

oh. I see..
well, look at this: http://linux-ip.net/nf/nfk-traversal.png

The packet traverses as follows.
prerouting -> forward -> postrouting

So your forward is fine, as is your postrouting. in your postrouting table, simply accept from that single host first..

iptables -t nat -s 149.153.9.241/32 -A POSTROUTING -o eth0 -j ACCEPT
iptables -t nat -s 149.153.9.0/24 -A POSTROUTING -o eth0 -j SNAT --to 149.153.9.1

Not sure if the nat postrouting chain has simple accept as a target. if not, just try to nat it to the same thing that it was..
iptables -t nat -s 149.153.9.241/32 -A POSTROUTING -o eth0 -j SNAT --to 149.153.9.241


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#5 2006-04-01 19:28:44

Stinky
Member
From: The Colony, TX
Registered: 2004-05-28
Posts: 187

Re: iptables question masquerade nat

I dunno about forwarding Everything to that one machine...but this is how you forward requests on a certain port to one machine...

$IPTABLES -A FORWARD -p tcp -d 192.168.1.100 --dport 22 -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i $EXTIF -d $EXTIP --dport 22 -j DNAT --to 192.168.1.100:22

Of course, change 22 to whatever port you want to forward.....

Offline

#6 2006-04-03 11:20:45

stevenk
Member
Registered: 2006-01-23
Posts: 19

Re: iptables question masquerade nat

ok cool, i now have this...:

iptables -t nat -s 149.153.9.241/32 -A POSTROUTING -o eth0 -j SNAT --to 149.153.9.241
iptables -t nat -s 149.153.9.0/24 -A POSTROUTING -o eth0 -j SNAT --to 149.153.9.1

which SNATs to the machine i want, and also SNAT's the network i want
it doesnt forward but has the desired effect of forwarding, cheers cactus.

stinky, i now have a look at your code and see what does.
btw stinky is the name of my arch box tongue

Offline

#7 2006-04-03 18:19:35

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: iptables question masquerade nat

cool beans. smile


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

Board footer

Powered by FluxBB