Two IP add

Two IP add

[Paulo Andre]

I would like to do the following:

Stop MASQUESRADING to two servers say. 10.10.10.5 and 10.10.10.8, how would i 
do this with a rule.

iptables -t nat -A POSTROUTING -s x.x.x.x -d ! 'servers ip' -j MASQUERADE 
now how would i put in two ip address's ?

Re: Two IP add

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 808 bytes --]

On Thu, 2003-06-05 at 11:56, Paulo Andre wrote:
> I would like to do the following:
> 
> Stop MASQUESRADING to two servers say. 10.10.10.5 and 10.10.10.8, how would i 
> do this with a rule.
> 
> iptables -t nat -A POSTROUTING -s x.x.x.x -d ! 'servers ip' -j MASQUERADE 
> now how would i put in two ip address's ?
> 
how about using 3 rules?
iptables -t nat -A POSTROUTING -d server1.ip.address -j return
iptables -t nat -A POSTROUTING -d server2.ip.address -j return
iptables -t nat -A POSTROUTING -s x.x.x.x -j MASQUERADE

Ray

-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Two IP add

[Dharmendra.T]

[-- Attachment #1: Type: text/plain, Size: 806 bytes --]

On Thu, 2003-06-05 at 15:26, Paulo Andre wrote:

    I would like to do the following:
    
    Stop MASQUESRADING to two servers say. 10.10.10.5 and 10.10.10.8, how would i 
    do this with a rule.
    
    iptables -t nat -A POSTROUTING -s x.x.x.x -d ! 'servers ip' -j MASQUERADE 
    now how would i put in two ip address's ?
    
    
    	Hi

 iptables -t nat -A POSTROUTING -s 10.10.10.5 -d 'sever ip' -j DROP
 iptables -t nat -A POSTROUTING -s 10.10.10.8 -d 'sever ip' -j DROP

Should work
-- 
Regards
Dharmendra.T


This message is intended for the addressee only. It may contain
privileged or Confidential information. If you have received this
message in error,please notify the sender and destroy the message
immediately.Unauthorised use or reproduction of this message is strictly
prohibited.

[-- Attachment #2: Type: text/html, Size: 1781 bytes --]

Re: Two IP add

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 1596 bytes --]

On Thu, 2003-06-05 at 13:38, Dharmendra.T wrote:
> On Thu, 2003-06-05 at 15:26, Paulo Andre wrote: 
>         I would like to do the following:
>         
>         Stop MASQUESRADING to two servers say. 10.10.10.5 and 10.10.10.8, how would i 
>         do this with a rule.
>         
>         iptables -t nat -A POSTROUTING -s x.x.x.x -d ! 'servers ip' -j MASQUERADE 
>         now how would i put in two ip address's ?
>         
>         
>         	Hi
> iptables -t nat -A POSTROUTING -s 10.10.10.5 -d 'sever ip' -j DROP 
> iptables -t nat -A POSTROUTING -s 10.10.10.8 -d 'sever ip' -j DROP 
> 
> Should work 
No, that will drop the packets and they won't traverse any more
tables/chains.

the -j return tells iptables to leave the POSTROUTING chain and
continue, so no more POSTROUTING rules will be checked for that packet.

the nat table has these chains:

PREROUTING
POSTROUTING
OUTPUT

A target of -j return means leave this chain and continue to the next.

Ray

> -- 
> Regards
> Dharmendra.T
> 
> 
> This message is intended for the addressee only. It may contain privileged or Confidential information. If you have received this message in error,please notify the sender and destroy the message immediately.Unauthorised use or reproduction of this message is strictly prohibited.
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Two IP add

[Shawn]

On Thu, 2003-06-05 at 08:29, Ray Leach wrote:
> On Thu, 2003-06-05 at 13:38, Dharmendra.T wrote:
> > On Thu, 2003-06-05 at 15:26, Paulo Andre wrote: 
> >         I would like to do the following:
> >         iptables -t nat -A POSTROUTING -s x.x.x.x -d ! 'servers ip' -j MASQUERADE 
> >         now how would i put in two ip address's ?
> > iptables -t nat -A POSTROUTING -s 10.10.10.5 -d 'sever ip' -j DROP 
> > iptables -t nat -A POSTROUTING -s 10.10.10.8 -d 'sever ip' -j DROP 
> > Should work 
> No, that will drop the packets and they won't traverse any more
> tables/chains.
> 
> the -j return tells iptables to leave the POSTROUTING chain and
> continue, so no more POSTROUTING rules will be checked for that packet.
> 
> the nat table has these chains:
> 
> PREROUTING
> POSTROUTING
> OUTPUT
> 
> A target of -j return means leave this chain and continue to the next.

So what happens with
iptables -t nat -A POSTROUTING -s 10.x.x.5 -s 'server ip' -j POSTROUTING

;]

Re: Two IP add

[Pascal Italiaander]

Op donderdag 5 juni 2003 15:29, schreef Ray Leach:
> On Thu, 2003-06-05 at 13:38, Dharmendra.T wrote:
> > On Thu, 2003-06-05 at 15:26, Paulo Andre wrote:
> >         I would like to do the following:
> >
> >         Stop MASQUESRADING to two servers say. 10.10.10.5 and 10.10.10.8,
> > how would i do this with a rule.
> >
> >         iptables -t nat -A POSTROUTING -s x.x.x.x -d ! 'servers ip' -j
> > MASQUERADE now how would i put in two ip address's ?

Ok , you could do something like this:

NO_MASK="10.10.10.5 10.10.10.8"

if [ ${NO_MASK} != "" ] ; then
  for nomask in ${NO_MASK}; do
 	iptables -t nat -A POSTROUTING -s x.x.x.x -d ! ${NO_MASK} -j MASQUERADE
done;
fi

this is a bit more flexible, cause , you can ad more ip's the NO_MASK easily 
without changing the rule itself, or have to write a new line.

Pascal

Re: Two IP add

[Pascal Italiaander]

Op donderdag 5 juni 2003 19:51, schreef u:
> Op donderdag 5 juni 2003 15:29, schreef Ray Leach:
> > On Thu, 2003-06-05 at 13:38, Dharmendra.T wrote:
> > > On Thu, 2003-06-05 at 15:26, Paulo Andre wrote:
> > >         I would like to do the following:
> > >
> > >         Stop MASQUESRADING to two servers say. 10.10.10.5 and
> > > 10.10.10.8, how would i do this with a rule.
> > >
> > >         iptables -t nat -A POSTROUTING -s x.x.x.x -d ! 'servers ip' -j
> > > MASQUERADE now how would i put in two ip address's ?
>
> Ok , you could do something like this:
>
sorry in the first reply was an error !!
this is fixed now.

 NO_MASK="10.10.10.5 10.10.10.8"

 if [ ${NO_MASK} != "" ] ; then
   for nomask in ${NO_MASK}; do
  	iptables -t nat -A POSTROUTING -s x.x.x.x -d ! ${nomask} -j MASQUERADE
 done;
 fi

> this is a bit more flexible, cause , you can ad more ip's the NO_MASK
> easily without changing the rule itself, or have to write a new line.

 Pascal

Re: Two IP add

[Alistair Tonner]

On June 5, 2003 01:54 pm, Pascal Italiaander wrote:
> Op donderdag 5 juni 2003 19:51, schreef u:
> > Op donderdag 5 juni 2003 15:29, schreef Ray Leach:
> > > On Thu, 2003-06-05 at 13:38, Dharmendra.T wrote:
> > > > On Thu, 2003-06-05 at 15:26, Paulo Andre wrote:
> > > >         I would like to do the following:
> > > >
> > > >         Stop MASQUESRADING to two servers say. 10.10.10.5 and
> > > > 10.10.10.8, how would i do this with a rule.
> > > >
> > > >         iptables -t nat -A POSTROUTING -s x.x.x.x -d ! 'servers ip'
> > > > -j MASQUERADE now how would i put in two ip address's ?
> >
> > Ok , you could do something like this:
>
> sorry in the first reply was an error !!
> this is fixed now.
>
>  NO_MASK="10.10.10.5 10.10.10.8"
>
>  if [ ${NO_MASK} != "" ] ; then
>    for nomask in ${NO_MASK}; do
>   	iptables -t nat -A POSTROUTING -s x.x.x.x -d ! ${nomask} -j MASQUERADE
>  done;
>  fi
>
> > this is a bit more flexible, cause , you can ad more ip's the NO_MASK
> > easily without changing the rule itself, or have to write a new line.
>
>  Pascal


	I somehow don't think this will do what we want here.
	rule 1 from this loop will MASQUERADE any ip that is 
	NOT 10.10.10.5, which unfortunately includes 10.10.10.8
	and rule #2 will never be hit by the 10.10.10.8 packet.

	I would suggest that we want to take the entire segment
	and manage it separately, but I have no experience with
	creating user chains in the nat table, although this *might* 
	work -- ymmv
	

iptables -t nat -N masq_filter
iptables -t nat -A POSTROUTING -s x.x.x.x -d 10.10.10.0/24 -j masq_filter 
# the above line includes an assumption that MIGHT BE WRONG!!!! I dont know 
# what your netmask is!!!!!!!!!
iptables -t nat -A masq_filter -d 10.10.10.5 -j RETURN
iptables -t nat -A masq_filter -d 10.10.10.8 -j RETURN
iptables -t nat -A masq_filter -j MASQUERADE

	filling in out the ips to NOT masquerade one at a time, perhaps with a loop
	as pascal suggests above, with appropriate modifications... 	
-- 

	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!

Re: Two IP add

[Pascal Italiaander]

Op vrijdag 6 juni 2003 00:56, schreef u:
> On June 5, 2003 01:54 pm, Pascal Italiaander wrote:
> > Op donderdag 5 juni 2003 19:51, schreef u:
> > > Op donderdag 5 juni 2003 15:29, schreef Ray Leach:
> > > > On Thu, 2003-06-05 at 13:38, Dharmendra.T wrote:
> > > > > On Thu, 2003-06-05 at 15:26, Paulo Andre wrote:
> > > > >         I would like to do the following:
> > > > >
> > > > >         Stop MASQUESRADING to two servers say. 10.10.10.5 and
> > > > > 10.10.10.8, how would i do this with a rule.
> > > > >
> > > > >         iptables -t nat -A POSTROUTING -s x.x.x.x -d ! 'servers ip'
> > > > > -j MASQUERADE now how would i put in two ip address's ?
> > >
> > > Ok , you could do something like this:
> >
> > sorry in the first reply was an error !!
> > this is fixed now.
> >
> >  NO_MASK="10.10.10.5 10.10.10.8"
> >
> >  if [ ${NO_MASK} != "" ] ; then
> >    for nomask in ${NO_MASK}; do
> >   	iptables -t nat -A POSTROUTING -s x.x.x.x -d ! ${nomask} -j MASQUERADE
> >  done;
> >  fi
> >
> > > this is a bit more flexible, cause , you can ad more ip's the NO_MASK
> > > easily without changing the rule itself, or have to write a new line.
> >
> >  Pascal
>
> 	I somehow don't think this will do what we want here.
> 	rule 1 from this loop will MASQUERADE any ip that is
> 	NOT 10.10.10.5, which unfortunately includes 10.10.10.8
> 	and rule #2 will never be hit by the 10.10.10.8 packet.
>
> 	I would suggest that we want to take the entire segment
> 	and manage it separately, but I have no experience with
> 	creating user chains in the nat table, although this *might*
> 	work -- ymmv
>
>
> iptables -t nat -N masq_filter
> iptables -t nat -A POSTROUTING -s x.x.x.x -d 10.10.10.0/24 -j masq_filter
> # the above line includes an assumption that MIGHT BE WRONG!!!! I dont know
> # what your netmask is!!!!!!!!!
> iptables -t nat -A masq_filter -d 10.10.10.5 -j RETURN
> iptables -t nat -A masq_filter -d 10.10.10.8 -j RETURN
> iptables -t nat -A masq_filter -j MASQUERADE
>
> 	filling in out the ips to NOT masquerade one at a time, perhaps with a
> loop as pascal suggests above, with appropriate modifications...

Yes correct , now you mention it , I see it also.
2 lines where added to the filter-list and would not traverse the firewall if 
IP was 10.10.10.8 

however the syntax could be reused, with this modification.
So combined the information together we get this example;

MASQ="yes' #Do you need masquerading ?
NO_MASK="10.10.10.5 10.10.10.8" #IP's who don't need masquerading(watch the 
single-space)
INET="10.10.10.0/24" #Local network + subnet
EX_IF="eth0" #External interface

if [ ${MASQ} == "yes" ]; then
   if [ ${NO_MASK} != "" ] ; then
        for nomask in ${NO_MASK}; do
 		iptables -t nat -A POSTROUTING -s x.x.x.x -d ! ${nomask} -j RETURN
		iptables -A POSTROUTING -t nat -s ${INET} -o ${EX_IF} -j MASQUERADE
 	done;
		else
			iptables -A POSTROUTING -t nat -s ${INET} -o ${EX_IF} -j MASQUERADE
 fi

greetings Pascal
have fun

Re: Two IP add

[Alistair Tonner]

On June 5, 2003 07:56 pm, Pascal Italiaander wrote:
> Op vrijdag 6 juni 2003 00:56, schreef u:
> > On June 5, 2003 01:54 pm, Pascal Italiaander wrote:
> > > Op donderdag 5 juni 2003 19:51, schreef u:
> > > > Op donderdag 5 juni 2003 15:29, schreef Ray Leach:
> > > > > On Thu, 2003-06-05 at 13:38, Dharmendra.T wrote:
> > > > > > On Thu, 2003-06-05 at 15:26, Paulo Andre wrote:
> > > > > >         I would like to do the following:
> > > > > >
> > > > > >         Stop MASQUESRADING to two servers say. 10.10.10.5 and
> > > > > > 10.10.10.8, how would i do this with a rule.
> > > > > >
> > > > > >         iptables -t nat -A POSTROUTING -s x.x.x.x -d ! 'servers
> > > > > > ip' -j MASQUERADE now how would i put in two ip address's ?
> > > >
> > > > Ok , you could do something like this:
> > >
> > > sorry in the first reply was an error !!
> > > this is fixed now.
> > >
> > >  NO_MASK="10.10.10.5 10.10.10.8"
> > >
> > >  if [ ${NO_MASK} != "" ] ; then
> > >    for nomask in ${NO_MASK}; do
> > >   	iptables -t nat -A POSTROUTING -s x.x.x.x -d ! ${nomask} -j
> > > MASQUERADE done;
> > >  fi
> > >
> > > > this is a bit more flexible, cause , you can ad more ip's the NO_MASK
> > > > easily without changing the rule itself, or have to write a new line.
> > >
> > >  Pascal
> >
> > 	I somehow don't think this will do what we want here.
> > 	rule 1 from this loop will MASQUERADE any ip that is
> > 	NOT 10.10.10.5, which unfortunately includes 10.10.10.8
> > 	and rule #2 will never be hit by the 10.10.10.8 packet.
> >
> > 	I would suggest that we want to take the entire segment
> > 	and manage it separately, but I have no experience with
> > 	creating user chains in the nat table, although this *might*
> > 	work -- ymmv
> >
> >
> > iptables -t nat -N masq_filter
> > iptables -t nat -A POSTROUTING -s x.x.x.x -d 10.10.10.0/24 -j masq_filter
> > # the above line includes an assumption that MIGHT BE WRONG!!!! I dont
> > know # what your netmask is!!!!!!!!!
> > iptables -t nat -A masq_filter -d 10.10.10.5 -j RETURN
> > iptables -t nat -A masq_filter -d 10.10.10.8 -j RETURN
> > iptables -t nat -A masq_filter -j MASQUERADE
> >
> > 	filling in out the ips to NOT masquerade one at a time, perhaps with a
> > loop as pascal suggests above, with appropriate modifications...
>
> Yes correct , now you mention it , I see it also.
> 2 lines where added to the filter-list and would not traverse the firewall
> if IP was 10.10.10.8
>
> however the syntax could be reused, with this modification.
> So combined the information together we get this example;
>
> MASQ="yes' #Do you need masquerading ?
> NO_MASK="10.10.10.5 10.10.10.8" #IP's who don't need masquerading(watch the
> single-space)
> INET="10.10.10.0/24" #Local network + subnet
> EX_IF="eth0" #External interface
>
> if [ ${MASQ} == "yes" ]; then
>    if [ ${NO_MASK} != "" ] ; then
>         for nomask in ${NO_MASK}; do
>  		iptables -t nat -A POSTROUTING -s x.x.x.x -d ! ${nomask} -j RETURN
> 		iptables -A POSTROUTING -t nat -s ${INET} -o ${EX_IF} -j MASQUERADE
>  	done;
> 		else
> 			iptables -A POSTROUTING -t nat -s ${INET} -o ${EX_IF} -j MASQUERADE
>  fi
>
> greetings Pascal
> have fun

	Now we're getting somewhere, but you need to take out the !
	iptables -t nat -A POSTROUTING -s x.x.x.x -d ! ${nomask} -j RETURN
	should be
	iptables -t nat -A POSTROUTING -s x.x.x.x -d  ${nomask} -j RETURN
-- 

	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!