From: Jason Opperisano <opie@817west.com>
To: netfilter@lists.netfilter.org
Subject: Re: static IP to dynamic IP
Date: Fri, 15 Oct 2004 14:22:53 -0400 [thread overview]
Message-ID: <20041015182253.GA7592@bender.817west.com> (raw)
In-Reply-To: <20041015174456.20376.qmail@web21523.mail.yahoo.com>
On Fri, Oct 15, 2004 at 10:44:56AM -0700, kate wrote:
> Hi, I am trying to modify a fw script that would work
> for my small lan, except I need to change references
> of static IP and SNAT. to eth0 and MASQUERADE, - but
> when I run the script it gives me Bad argument `eth0'
in general--you can find the line where any bash script blows up by
running: bash -x script.sh
> The script is below, with my notes on changes I've
> made so far. Any help greatly appreciated.
>
> #(1) Policies (default) - modified with notation
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> # (2) User defined chain for ACCEPTed TCP packets
> iptables -N okay
> iptables -A okay -p TCP --syn -j ACCEPT
> iptables -A okay -p TCP -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A okay -p TCP -j DROP
>
> # (3) INPUT chain rules
>
> # Rules for incoming packets from LAN
> iptables -A INPUT -p ALL -i eth1 -s 192.168.0.0/16 -j
> ACCEPT
> iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 192.168.1.1 -j
> ACCEPT
> iptables -A INPUT -p ALL -i lo -s -i eth0 -j ACCEPT
but i can tell you that the above line is the one blowing up. you have
specified "-s" with no IP address following it...you've also specified
"-i" twice--which doesn't make any sense--a packet only has one inbound
interface.
> ## WAS -> ... 123.45.67.89 -j ACCEPT
> iptables -A INPUT -p ALL -i eth1 -d 192.168.0.255 -j
> ACCEPT
>
> # Rules for incoming packets from Internet
> # Packets for established connections
> iptables -A INPUT -p ALL -d -i eth0 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> ## WAS - > ... -d 123.45.67.89 -m...
k--i guess i see your pattern here...you need to figure out what
your IP address actually is earlier in the script and just use the IP
address--there's no magic "substitute the IP of the interface" variable
with iptables (except for MASQ which we get to later). one of the 8
million (i've counted) ways to do this would be:
ETH0_IP=`ip -4 -o addr sh eth0 | awk '{print $4}' | cut -d"/" -f1`
and then reference $ETH0_IP wherever you need the IP address of eth0.
[ snip ]
> # (6) POSTROUTING chain rules
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> ## was -> ... -j SNAT --to-source 123.45.67.89
yes--MASQ is the proper way to SNAT with a dynamic IP.
-j
--
Jason Opperisano <opie@817west.com>
next prev parent reply other threads:[~2004-10-15 18:22 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-15 17:44 static IP to dynamic IP kate
2004-10-15 18:14 ` kate
2004-10-15 18:21 ` Rob Sterenborg
2004-10-15 18:22 ` Jason Opperisano [this message]
2004-10-15 18:41 ` kate
2004-10-15 18:55 ` Jason Opperisano
2004-10-15 19:17 ` kate
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20041015182253.GA7592@bender.817west.com \
--to=opie@817west.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.